CVE-2022-39225: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source backend, was found to contain a session object vulnerability (CVE-2022-39225) that was disclosed on September 20, 2022. The vulnerability affects versions <4.10.15 and >=5.0.0 <5.2.6 of the software. The issue allows a foreign user to write to the session object of another user if the session object ID is known (GitHub Advisory).

The vulnerability allows an attacker to assign the session object to their own user by writing to the user field and then read any custom fields of that session object. The vulnerability only exists for foreign session objects, as a user cannot assign their own session to another user. While the session object ID of another user is typically not known, it is possible to brute-force guess an object ID, although the attacker would not know which user a successfully guessed session object ID belongs to (GitHub Advisory).

The vulnerability has a moderate severity rating with a CVSS score of 4.3. While assigning a session to a foreign user does not usually change the privileges of either user according to Parse Server's internal session object usage, if custom logic is used to relate specific session objects to privileges, this vulnerability may have a higher level of severity. The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to authenticate as that user (GitHub Advisory).

The vulnerability has been patched in versions >=4.10.15 <5.0.0 and >=5.2.6. The fix prevents writing to foreign session objects, even if the session object ID is known. As a workaround, administrators can add a beforeSave trigger to the _Session class and prevent writing if the requesting user is different from the user in the session object (GitHub Advisory).