CVE-2021-39138

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.5.1

Description The issue arises when an anonymous user is first signed up using the REST API, causing the server to create a session incorrectly. Specifically, the authProvider field in the Session class under createdWith shows the user as logged in with a password. This incorrect classification affects developers who depend on the createdWith field to provide different levels of access between password users and anonymous users. The server does not currently use createdWith for internal decision-making, so developers not using it directly are not affected.

Recommendations For versions prior to 4.5.1, upgrade to version 4.5.1 to resolve the issue. As a temporary workaround, do not use the createdWith Session field to make decisions if anonymous login is allowed.