CVE-2021-41109

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.4

Description The issue concerns the exposure of session tokens in LiveQuery payloads for users with a LiveQuery subscription on the Parse.User class. Normally, session tokens are removed from responses for regular queries, but this was not the case for LiveQuery payloads prior to the fix. This means all session tokens created during user sign-ups would be broadcast as part of the LiveQuery payload, potentially compromising user privacy. A patch in version 4.10.4 addresses this by removing session tokens from the LiveQuery payload.

Recommendations For versions prior to 4.10.4, update to version 4.10.4 or later to remove session tokens from LiveQuery payloads. As a temporary workaround for versions prior to 4.10.4, set user.acl(new Parse.ACL()) in a beforeSave trigger to make the user private already on sign-up.