MEDIUM 4.3 npm
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
GHSA-g4v2-qx3q-4p64 · BIT-parse-2026-39381 · CVE-2026-39381
Published · Modified
Description
Impact
The GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields.
Patches
The GET /sessions/me handler now re-fetches the session with the caller's auth context after validating the session token, ensuring protectedFields and CLP apply consistently with other session endpoints.
Workarounds
None.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-39381
- WEB https://github.com/parse-community/parse-server/pull/10406
- WEB https://github.com/parse-community/parse-server/pull/10407
- PACKAGE https://github.com/parse-community/parse-server
Ready to move
Start Securing
Free, no credit card | First findings in minutes