Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: f63fd1a
Author: Manuel
Date: 2026-03-29T18:36:52Z
Commit Message
fix: LiveQuery protected-field guard bypass via array-like logical operator value ([GHSA-mmg8-87c5-jrc2](https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2)) (#10350)
Pull Request
PR: #10350 - fix: LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2)
Labels: state:released-alpha
Description:
Issue
LiveQuery protected-field guard bypass via array-like logical operator value ([GHSA-mmg8-87c5-jrc2](GHSA-mmg8-87c5-jrc2))
Analysis
Vulnerability Type: Information Disclosure via Authorization Bypass
Severity: High
Description
The patch fixes a vulnerability in the LiveQuery protected-field guard that could be bypassed by using array-like logical operator values ($or, $and, $nor) allowing unauthorized access to protected fields. Before the patch, queries crafted with array-like objects instead of arrays could subscribe to LiveQuery events despite the presence of protected fields, leading to sensitive data exposure. The patch enforces stricter validation and rejects such malformed queries, blocking any unauthorized data leaks.
Affected Code
query._where = {
$or: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
};
Proof of Concept
const query = new Parse.Query('SecretClass');
query._where = {
$or: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
};
await query.subscribe(); // Before patch: subscription succeeds exposing protected data
// After patch: subscription is rejected with { code: Parse.Error.INVALID_QUERY }
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-30T00:00:42.708Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: f63fd1a
Author: Manuel
Date: 2026-03-29T18:36:52Z
Commit Message
Pull Request
PR: #10350 - fix: LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2)
Labels: state:released-alpha
Description:
Issue
LiveQuery protected-field guard bypass via array-like logical operator value ([GHSA-mmg8-87c5-jrc2](GHSA-mmg8-87c5-jrc2))
Analysis
Vulnerability Type: Information Disclosure via Authorization Bypass
Severity: High
Description
The patch fixes a vulnerability in the LiveQuery protected-field guard that could be bypassed by using array-like logical operator values ($or, $and, $nor) allowing unauthorized access to protected fields. Before the patch, queries crafted with array-like objects instead of arrays could subscribe to LiveQuery events despite the presence of protected fields, leading to sensitive data exposure. The patch enforces stricter validation and rejects such malformed queries, blocking any unauthorized data leaks.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-30T00:00:42.708Z