Executive Summary

This vulnerability affects Parse Server versions prior to 9.6.0-alpha.17 and 8.6.42. An authenticated user can overwrite server-generated session fields such as sessionToken, expiresAt, and createdWith when creating a session object via the POST /classes/_Session endpoint.

By overwriting these fields, the user can bypass the server's session expiration policy by setting an arbitrary far-future expiration date and can also set a predictable session token value.

Starting from versions 9.6.0-alpha.17 and 8.6.42, the server filters out these server-generated fields from user-supplied data to prevent overwriting. A workaround for vulnerable versions is to add a beforeSave trigger on the _Session class to validate and reject or strip any user-supplied values for these fields.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user to bypass session expiration controls by setting a session to expire at a far-future date, effectively extending their session indefinitely.

It also allows the user to set predictable session token values, which can increase the risk of session hijacking or unauthorized access.

Overall, this can lead to unauthorized prolonged access to the system without re-authentication, potentially compromising the security of the application.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Parse Server to version 9.6.0-alpha.17 or 8.6.42 or later, where the session creation endpoint filters out server-generated fields from user-supplied data, preventing overwriting.

As a workaround if upgrading is not immediately possible, add a beforeSave trigger on the _Session class to validate and reject or strip any user-supplied values for sessionToken, expiresAt, and createdWith.

Useful 0 Not Useful 0