Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: a944203
Author: Manuel
Date: 2026-03-13T22:47:51Z
Commit Message
fix: Session token expiration unchecked on cache hit (#10194)
Pull Request
PR: #10194 - fix: Session token expiration unchecked on cache hit
Labels: state:released-alpha
Description:
Summary
- Stores
expiresAt alongside user data in the session cache
- Checks
expiresAt on cache hits and rejects expired sessions
- Evicts expired cache entries on detection
Test plan
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit...
Analysis
Vulnerability Type: Authentication Bypass (Session Expiration Ignored)
Severity: High
Description
Before the patch, session tokens stored in cache did not have their expiration validated, allowing expired sessions to be treated as valid if served from cache. This allowed attackers to reuse expired session tokens to gain unauthorized access. The patch fixes this by storing the expiration time alongside cached sessions and rejecting expired tokens upon cache retrieval.
Affected Code
const userJSON = await cacheController.user.get(sessionToken);
if (userJSON) {
const cachedUser = Parse.Object.fromJSON(userJSON);
renewSessionIfNeeded({ config, sessionToken });
return Promise.resolve(cachedUser);
Proof of Concept
1. Configure the server with short session length (1 second) but longer cache TTL (5 seconds).
2. Authenticate and obtain a session token.
3. Wait for session to expire (1 second) but less than cache TTL.
4. Make authenticated request with expired token, which gets served from cache.
Expected: Before patch, request succeeds despite expired session token; after patch, request fails with error code 209 and message 'Session token is expired.'
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-14T00:01:44.649Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: a944203
Author: Manuel
Date: 2026-03-13T22:47:51Z
Commit Message
Pull Request
PR: #10194 - fix: Session token expiration unchecked on cache hit
Labels: state:released-alpha
Description:
Summary
expiresAtalongside user data in the session cacheexpiresAton cache hits and rejects expired sessionsTest plan
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit...
Analysis
Vulnerability Type: Authentication Bypass (Session Expiration Ignored)
Severity: High
Description
Before the patch, session tokens stored in cache did not have their expiration validated, allowing expired sessions to be treated as valid if served from cache. This allowed attackers to reuse expired session tokens to gain unauthorized access. The patch fixes this by storing the expiration time alongside cached sessions and rejecting expired tokens upon cache retrieval.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-14T00:01:44.649Z