{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/parse-server/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["parse-server","livequery","data-leak","cve-2026-34363"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eParse Server, an open-source backend for web and mobile applications, is susceptible to a vulnerability in its LiveQuery functionality. This issue stems from the concurrent handling of multiple subscribers using shared mutable objects. Specifically, when several clients subscribe to the same class via LiveQuery, event handlers process each subscriber concurrently, leading to a situation where sensitive data filters modify shared objects in-place. This can cause protected fields and authentication data to be leaked to clients that should not have access to them, or lead to incomplete objects being received by clients that should see the data. The vulnerability affects Parse Server deployments using LiveQuery with protected fields or afterEvent triggers when multiple clients are subscribed to the same class. Specifically, versions before 8.6.65 and versions 9.0.0 up to (but not including) 9.7.0-alpha.9 are vulnerable. Patches have been released to address this vulnerability by deep-cloning the shared objects, ensuring isolation between subscribers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Parse Server deployment using LiveQuery with protected fields or afterEvent triggers.\u003c/li\u003e\n\u003cli\u003eAttacker determines the server is running a vulnerable version of Parse Server (e.g., 9.6.0).\u003c/li\u003e\n\u003cli\u003eAttacker subscribes to a LiveQuery for a specific class containing protected fields.\u003c/li\u003e\n\u003cli\u003eA legitimate user subscribes to the same LiveQuery for the same class.\u003c/li\u003e\n\u003cli\u003eThe server processes the legitimate user\u0026rsquo;s subscription first. A sensitive data filter removes a protected field from the shared object.\u003c/li\u003e\n\u003cli\u003eThe server then processes the attacker\u0026rsquo;s subscription. Because the object has already been filtered by the previous subscriber\u0026rsquo;s request, the attacker receives the object without the protected field check being applied.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to data they should not be able to view.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially exploit this information to further compromise the application or access other sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability could lead to the exposure of sensitive information, including protected fields and authentication data, to unauthorized users. The number of affected deployments is unknown, but any Parse Server instance utilizing LiveQuery with protected fields or afterEvent triggers is potentially at risk. Successful exploitation could result in data breaches, privacy violations, and unauthorized access to sensitive application resources. The severity is high due to the potential for widespread data leakage and the lack of a workaround prior to patching.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Parse Server to version 8.6.65 or later, or version 9.7.0-alpha.9 or later to patch CVE-2026-34363.\u003c/li\u003e\n\u003cli\u003eMonitor Parse Server logs for unusual LiveQuery subscription patterns that might indicate an attempted exploitation. While there are no specific rules provided here, correlate server logs with application usage to detect anomalies.\u003c/li\u003e\n\u003cli\u003eIf unable to immediately patch, consider disabling LiveQuery functionality or removing protected fields as a temporary mitigation, though this will impact application functionality.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T17:40:59Z","date_published":"2026-03-30T17:40:59Z","id":"/briefs/2024-01-02-parse-server-livequery-leak/","summary":"Parse Server versions before 8.6.65 and between 9.0.0 and 9.7.0-alpha.9 are vulnerable to a data leak where protected fields and authentication data can be exposed to unauthorized clients due to shared mutable objects across concurrent LiveQuery subscribers.","title":"Parse Server LiveQuery Protected Field Leak via Shared Mutable State","url":"https://feed.craftedsignal.io/briefs/2024-01-02-parse-server-livequery-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Parse-Server","version":"https://jsonfeed.org/version/1.1"}