GHSA-M983-V2FF-WQ65
Vulnerability from github – Published: 2026-03-30 17:40 – Updated: 2026-03-31 18:51Impact
When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object.
Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state.
Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class.
Patches
The fix deep-clones the shared objects at the start of each subscriber's processing callback, ensuring each subscriber works on an independent copy. Additionally, a bug was fixed where master key LiveQuery clients could not receive events on classes with protected fields due to an incorrect type passed to the sensitive data filter.
Workarounds
There is no known workaround.
Resources
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10330
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10331
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.7.0-alpha.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.65"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34363"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T17:40:59Z",
"nvd_published_at": "2026-03-31T15:16:18Z",
"severity": "HIGH"
},
"details": "### Impact\n\nWhen multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber\u0027s filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object.\n\nAdditionally, when an afterEvent Cloud Code trigger is registered, one subscriber\u0027s trigger modifications can leak to other subscribers through the same shared mutable state.\n\nAny Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class.\n\n### Patches\n\nThe fix deep-clones the shared objects at the start of each subscriber\u0027s processing callback, ensuring each subscriber works on an independent copy. Additionally, a bug was fixed where master key LiveQuery clients could not receive events on classes with protected fields due to an incorrect type passed to the sensitive data filter.\n\n### Workarounds\n\nThere is no known workaround.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10330\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10331",
"id": "GHSA-m983-v2ff-wq65",
"modified": "2026-03-31T18:51:49Z",
"published": "2026-03-30T17:40:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10330"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10331"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiveQuery protected field leak via shared mutable state across concurrent subscribers"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.