Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions (protectedFields) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave).
Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers.
Patches
The vulnerability was caused by a reference detachment bug. When an afterEvent trigger is registered, the LiveQuery server converts the event object to a Parse.Object for the trigger, then creates a new JSON copy via toJSONwithObjects(). The sensitive data filter was applied to the Parse.Object reference, but the unfiltered JSON copy was sent to clients. The fix ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients.
Workarounds
Remove all Parse.Cloud.afterLiveQueryEvent trigger registrations. Without an afterEvent trigger, the reference detachment does not occur and protected fields are correctly filtered.
AnalysisAI
Parse Server's LiveQuery component leaks protected fields and OAuth authentication data to unauthorized subscribers when an afterLiveQueryEvent trigger is registered for a class. The vulnerability affects Parse Server installations using LiveQuery with afterEvent triggers, allowing any user with basic subscription permissions to access sensitive personal information and third-party OAuth tokens belonging to other users. Patches are available from the vendor with workarounds documented.
Technical ContextAI
Parse Server is a Node.js backend framework (pkg:npm/parse-server) that provides LiveQuery functionality for real-time data synchronization. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and occurs due to a reference detachment bug in the LiveQuery server's event processing pipeline. When Parse.Cloud.afterLiveQueryEvent triggers are registered, the server converts event objects to Parse.Object instances for trigger execution, then creates a JSON copy via toJSONwithObjects(). The sensitive data filter correctly operates on the Parse.Object reference but fails to filter the JSON copy that is actually transmitted to subscribed clients, resulting in protected fields and authData bypassing Class-Level Permissions (CLP) protections.
RemediationAI
Apply the patches provided by Parse Community immediately, available via pull requests at https://github.com/parse-community/parse-server/pull/10232 and https://github.com/parse-community/parse-server/pull/10233. Upgrade to the patched version of parse-server from npm once released. As a temporary workaround until patching is complete, remove all Parse.Cloud.afterLiveQueryEvent trigger registrations from your codebase, as the reference detachment bug only occurs when these triggers are present. Review LiveQuery subscription logs to identify potential unauthorized access to protected fields during the vulnerable period and rotate any exposed OAuth tokens or credentials. Consult the security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff for complete remediation guidance.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12994
GHSA-5hmj-jcgp-6hff