Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: ea68fc0
Author: Manuel
Date: 2026-03-21T01:37:35Z
Commit Message
fix: Session update endpoint allows overwriting server-generated session fields ([GHSA-jc39-686j-wp6q](https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q)) (#10263)
Pull Request
PR: #10263 - fix: Session update endpoint allows overwriting server-generated session fields (GHSA-jc39-686j-wp6q)
Labels: state:released-alpha
Description:
Issue
Session update endpoint allows overwriting server-generated session fields ([GHSA-jc39-686j-wp6q](GHSA-jc39-686j-wp6q))
Tasks
Analysis
Vulnerability Type: Session Fixation / Privilege Escalation
Severity: High
Description
Before this patch, authenticated users could update server-generated session fields such as 'expiresAt' and 'createdWith' via the session update endpoint. This allowed attackers to extend session lifetime or manipulate session metadata, potentially leading to session fixation and unauthorized session persistence. The patch restricts updating these fields to master key operations only, preventing normal users from overwriting trusted session data.
Affected Code
} else if (this.data.sessionToken) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME);
Proof of Concept
1. Sign up and log in as a normal user to obtain a session token.
2. Retrieve your session's objectId via GET /sessions/me.
3. Send a PUT request to /sessions/{sessionId} including this body:
{
"expiresAt": {"__type": "Date", "iso": "2099-12-31T23:59:59.000Z"}
}
4. Observe that before the patch this call succeeds, overwriting the session expiry.
5. This lets the user keep their session valid indefinitely, bypassing intended expiration controls and potentially allowing long-term unauthorized access.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-21T06:00:37.235Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: ea68fc0
Author: Manuel
Date: 2026-03-21T01:37:35Z
Commit Message
Pull Request
PR: #10263 - fix: Session update endpoint allows overwriting server-generated session fields (GHSA-jc39-686j-wp6q)
Labels: state:released-alpha
Description:
Issue
Session update endpoint allows overwriting server-generated session fields ([GHSA-jc39-686j-wp6q](GHSA-jc39-686j-wp6q))
Tasks
Analysis
Vulnerability Type: Session Fixation / Privilege Escalation
Severity: High
Description
Before this patch, authenticated users could update server-generated session fields such as 'expiresAt' and 'createdWith' via the session update endpoint. This allowed attackers to extend session lifetime or manipulate session metadata, potentially leading to session fixation and unauthorized session persistence. The patch restricts updating these fields to master key operations only, preventing normal users from overwriting trusted session data.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-21T06:00:37.235Z