CVE-2021-41109: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, was found to have a security vulnerability prior to version 4.10.4. For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it was not properly handled. If a user had a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups would be broadcast as part of the LiveQuery payload (GitHub Advisory).

The vulnerability exists in the LiveQuery functionality where session tokens were not being stripped from the payload responses. This exposed sensitive authentication tokens that should have remained private. The issue was assigned CVE-2021-41109 and received a CVSS v2.0 base score of 4.3 MEDIUM (NVD). The vulnerability is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

If exploited, this vulnerability could allow attackers to obtain session tokens of users during sign-up operations when LiveQuery is being used to monitor the Parse.User class. These session tokens could potentially be used to hijack user sessions and gain unauthorized access to user accounts (GitHub Advisory).

The vulnerability was patched in Parse Server version 4.10.4 by removing session tokens from the LiveQuery payload. For users unable to upgrade immediately, a workaround is available by setting user.acl(new Parse.ACL()) in a beforeSave trigger to make the user private already on sign-up (GitHub Advisory).