CVE-2026-57481
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-57481 is an information disclosure vulnerability in Parse Server's LiveQuery feature, tracked as GHSA-97pr-9hgg-3p8r. It allows an authenticated LiveQuery subscriber to receive object field values they are not authorized to read when a single save operation simultaneously changes both object field data and the subscriber's ACL read access. Affected versions include parse-server >= 9.0.0 and < 9.9.1-alpha.13, as well as all versions <= 8.6.82 in the v8 branch. The vulnerability was published and patched on June 19, 2026, by maintainer mtrezza. It carries a CVSS v4 base score of 2.3 (Low) (GitHub Advisory).

Détails techniques

The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in ParseLiveQueryServer._onAfterSave in src/LiveQuery/ParseLiveQueryServer.ts, which failed to verify the subscriber's ACL read authorization for the specific object state included in LiveQuery leave and enter events. When a save removes a subscriber's read access, the resulting leave event incorrectly carried the post-update object body (data the subscriber is no longer permitted to see); symmetrically, when a save grants read access, the enter event included the pre-grant object state (data the subscriber was never authorized to read). Exploitation requires the attacker to already be an authenticated subscriber (low privileges) and depends on the specific deployment condition where content and ACL changes are combined in a single save on a LiveQuery-enabled class. Master-key subscribers and normal query-mismatch leave/enter events are unaffected (GitHub Advisory, PR #10515).

Impact

The impact is limited to confidentiality — there is no integrity or availability impact. A subscriber can receive unauthorized object field values, but only for the single object involved in the combined ACL+content save, and only the subscriber whose access changed is affected. There is no potential for lateral movement, remote code execution, or broader data exfiltration beyond the disclosed object state in that specific event (GitHub Advisory).

Étapes d’exploitation

  1. Prerequisite: Identify a Parse Server deployment with LiveQuery enabled on one or more classes, running a vulnerable version (parse-server >= 9.0.0 < 9.9.1-alpha.13, or <= 8.6.82).
  2. Authenticate: Obtain a valid session token for a low-privilege user account on the target Parse Server instance.
  3. Subscribe via LiveQuery: Open a WebSocket connection to the Parse Server LiveQuery endpoint and subscribe to a query matching the target class (e.g., new Parse.Query('SensitiveClass')).
  4. Trigger the vulnerable save: Cause (or wait for) a save operation on an object in that class that simultaneously changes object field values and modifies the subscriber's ACL read access — either revoking or granting it.
  5. Capture the event payload: Observe the leave event (if ACL was revoked) or enter event (if ACL was granted) delivered over the WebSocket. The event payload will contain object field values the subscriber is not authorized to read — either the post-revocation state (leave) or the pre-grant state (enter) (GitHub Advisory, PR #10515).

Atténuation et solutions de contournement

Upgrade parse-server to version 9.9.1-alpha.13 (for v9 users) or 8.6.83 (for v8/LTS users), both released on June 19, 2026. The fix adds ACL-read authorization checks in _onAfterSave so that leave events deliver only the last authorized object state and enter events omit the pre-grant snapshot. As a workaround, avoid combining object field changes and ACL changes in the same save on LiveQuery-enabled classes — perform the ACL change in a separate save before or after the content change. Alternatively, restrict which classes are enabled for LiveQuery to reduce exposure (GitHub Advisory, PR #10516).

Réactions de la communauté

The vulnerability was reported and coordinated by parse-community maintainer mtrezza, who also authored both fix pull requests. No notable external researcher commentary, media coverage, or significant community discussion beyond the GitHub advisory and pull request threads has been identified at this time (GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54527CRITICAL9.3
  • JavaScript logoJavaScript
  • jupyterlab-git-core
NonOuiJul 08, 2026
CVE-2026-57480HIGH8.7
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55849HIGH8.5
  • JavaScript logoJavaScript
  • @cyclonedx/cyclonedx-npm
NonOuiJul 08, 2026
CVE-2026-57481LOW2.3
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55778LOW2.1
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités