CVE-2021-39138: 
JavaScript vulnerability analysis and mitigation

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability (CVE-2021-39138) was discovered and disclosed on August 19, 2021, affecting versions prior to 4.5.1. The issue involves incorrect session creation for anonymous users when signing up through the REST API, where the authProvider field in the _Session class under createdWith incorrectly shows the user logged in using a password instead of anonymous authentication (GitHub Advisory).

The vulnerability stems from an authentication provider misclassification in the session creation process. When an anonymous user signs up using the REST API, the server incorrectly sets the session's createdWith.authProvider field to 'password' instead of 'anonymous'. This issue has been assigned a CVSS v3.1 score of 6.5 (MEDIUM) and CVSS v2.0 score of 6.4 (MEDIUM) (NVD Results).

The vulnerability only affects applications that directly rely on the createdWith field to make security decisions or implement different access levels between password-authenticated and anonymous users. The server's internal functionality is not affected as it does not use the createdWith field for internal decision-making (GitHub Advisory).

The issue has been patched in Parse Server version 4.5.1. For users unable to upgrade immediately, the recommended workaround is to avoid using the createdWith Session field for making access control decisions when anonymous login is enabled. The fix does not address incorrect authProvider: password values for existing sessions of anonymous users (GitHub Advisory).