S00Py

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.14 Parse Server versions prior to 5.2.5 **Description** Internal fields (keys used internally by Parse Server, prefixed by ` `) and protected fields (user defined) can be used as query constraints. These fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object. The issue can be exploited by using the `query. where` object to guess internal and protected fields. **Recommendations** For versions prior to 4.10.14, update to version 4.10.14 or later. For versions prior to 5.2.5, update to version 5.2.5 or later. As a temporary workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints, such as deleting keys that start with ` ` from the `query. where` object.