CVE-2022-36079

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.14 Parse Server versions prior to 5.2.5

Description Internal fields (keys used internally by Parse Server, prefixed by ) and protected fields (user defined) can be used as query constraints. These fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object. The issue can be exploited by using the query. where object to guess internal and protected fields.

Recommendations For versions prior to 4.10.14, update to version 4.10.14 or later. For versions prior to 5.2.5, update to version 5.2.5 or later. As a temporary workaround, implement a Parse Cloud Trigger beforeFind and manually remove the query constraints, such as deleting keys that start with from the query. where object.