Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 9080296
Author: Manuel
Date: 2026-03-29T03:55:39Z
Commit Message
fix: Session field immutability bypass via falsy-value guard ([GHSA-f6j3-w9v3-cq22](https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22)) (#10347)
Pull Request
PR: #10347 - fix: Session field immutability bypass via falsy-value guard (GHSA-f6j3-w9v3-cq22)
Labels: state:released-alpha
Description:
Issue
Session field immutability bypass via falsy-value guard ([GHSA-f6j3-w9v3-cq22](GHSA-f6j3-w9v3-cq22))
Analysis
Vulnerability Type: Privilege Escalation (Session Field Immutability Bypass)
Severity: High
Description
Before this patch, the code allowed users to update critical session fields (such as expiresAt, createdWith, installationId, and sessionToken) to null or falsy values because it improperly checked the presence of these fields using truthy checks, thereby allowing a bypass of session field immutability. This could enable attackers to manipulate session properties, potentially extending session lifetimes or bypassing security controls. The patch fixes this by checking the explicit existence of fields in the update payload, rejecting attempts to modify these protected session fields and thus preserving session integrity.
Affected Code
if (this.data.installationId) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'Invalid key name: installationId');
} else if (this.data.sessionToken) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'Invalid key name: sessionToken');
} else if (this.data.expiresAt && !this.auth.isMaster && !this.auth.isMaintenance) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'Invalid key name: expiresAt');
Proof of Concept
Send an HTTP PUT request to update a session with a null expiresAt value:
PUT /1/sessions/<sessionId>
Headers:
X-Parse-Application-Id: test
X-Parse-REST-API-Key: rest
X-Parse-Session-Token: <valid-session-token>
Content-Type: application/json
Body:
{
"expiresAt": null
}
Expected Behavior before patch:
- The update succeeds, allowing the expiresAt field to be overwritten with null.
Expected Behavior after patch:
- The server responds with error code INVALID_KEY_NAME, rejecting the update and preserving the original expiresAt value.
This demonstrates how malicious clients could previously bypass immutability constraints of sensitive session fields by setting them to falsy values that were not properly checked.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-29T06:00:31.536Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 9080296
Author: Manuel
Date: 2026-03-29T03:55:39Z
Commit Message
Pull Request
PR: #10347 - fix: Session field immutability bypass via falsy-value guard (GHSA-f6j3-w9v3-cq22)
Labels: state:released-alpha
Description:
Issue
Session field immutability bypass via falsy-value guard ([GHSA-f6j3-w9v3-cq22](GHSA-f6j3-w9v3-cq22))
Analysis
Vulnerability Type: Privilege Escalation (Session Field Immutability Bypass)
Severity: High
Description
Before this patch, the code allowed users to update critical session fields (such as expiresAt, createdWith, installationId, and sessionToken) to null or falsy values because it improperly checked the presence of these fields using truthy checks, thereby allowing a bypass of session field immutability. This could enable attackers to manipulate session properties, potentially extending session lifetimes or bypassing security controls. The patch fixes this by checking the explicit existence of fields in the update payload, rejecting attempts to modify these protected session fields and thus preserving session integrity.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-29T06:00:31.536Z