Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
AnalysisAI
Parse Server versions prior to 9.8.0-alpha.7 and 8.6.75 expose protected session fields to authenticated users via the GET /sessions/me endpoint, bypassing the protectedFields server configuration that should restrict access to sensitive data. An authenticated attacker can retrieve their own session's protected fields in a single request, whereas the equivalent GET /sessions and GET /sessions/:objectId endpoints correctly enforce field-level access controls. This information disclosure vulnerability affects any Parse Server deployment where administrators have configured protected fields on the _Session class and expects those fields to remain confidential from users.
Technical ContextAI
Parse Server is a Node.js-based backend-as-a-service framework that provides REST API endpoints for session management. The protectedFields server option is a field-level access control mechanism designed to prevent clients from reading sensitive fields (such as authentication tokens or internal metadata) on protected classes like _Session. The vulnerability stems from inconsistent enforcement of this protection policy across three session endpoints: GET /sessions/me fails to filter protected fields, while GET /sessions and GET /sessions/:objectId correctly strip them before returning data to clients. This is a CWE-863 (Incorrect Authorization) issue rooted in a logic flaw where one code path bypasses the authorization checks that other paths enforce. The vulnerability is specific to the _Session class fields accessed through the unauthenticated-to-authenticated transition point of the /sessions/me endpoint.
RemediationAI
Upgrade Parse Server to version 9.8.0-alpha.7 or later in the 9.x branch, or to version 8.6.75 or later in the 8.x branch. The upstream fix was implemented via pull requests #10406 and #10407 (https://github.com/parse-community/parse-server/pull/10406 and https://github.com/parse-community/parse-server/pull/10407), which modify the GET /sessions/me endpoint to enforce protectedFields filtering consistent with the other session endpoints. If immediate upgrade is not feasible, deploy a reverse proxy or API gateway layer that validates and strips protected fields from /sessions/me responses based on your configured protectedFields policy; however, this is not a substitute for patching the application itself. Review audit logs for any unauthorized access to /sessions/me in the recent past to confirm no exploitation has occurred.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19917
GHSA-g4v2-qx3q-4p64