Moderate severityNVD Advisory· Published Oct 22, 2020· Updated Aug 4, 2024
Improper session expiration in Parse Server
CVE-2020-15270
Description
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | < 4.4.0 | 4.4.0 |
Affected products
1- Range: <= 4.3.0
Patches
178b59fb26b1cMerge pull request from GHSA-2xm2-xj2q-qgpj
https://github.com/parse-community/parse-serverAntonio Davi Macedo Coelho de CastroOct 21, 2020via ghsa
6 files changed · +62 −12
spec/ParseLiveQuery.spec.js+42 −0 modified@@ -784,6 +784,48 @@ describe('ParseLiveQuery', function () { }); }); + it('should not broadcast event to client with invalid session token - avisory GHSA-2xm2-xj2q-qgpj', async done => { + await reconfigureServer({ + liveQuery: { + classNames: ['TestObject'], + }, + liveQueryServerOptions: { + cacheTimeout: 100, + }, + startLiveQueryServer: true, + verbose: false, + silent: true, + cacheTTL: 100, + }); + const user = new Parse.User(); + user.setUsername('username'); + user.setPassword('password'); + await user.signUp(); + const obj1 = new Parse.Object('TestObject'); + const obj1ACL = new Parse.ACL(); + obj1ACL.setPublicReadAccess(false); + obj1ACL.setReadAccess(user, true); + obj1.setACL(obj1ACL); + const obj2 = new Parse.Object('TestObject'); + const obj2ACL = new Parse.ACL(); + obj2ACL.setPublicReadAccess(false); + obj2ACL.setReadAccess(user, true); + obj2.setACL(obj2ACL); + const query = new Parse.Query('TestObject'); + const subscription = await query.subscribe(); + subscription.on('create', obj => { + if (obj.id !== obj1.id) { + done.fail('should not fire'); + } + }); + await obj1.save(); + await Parse.User.logOut(); + await new Promise(resolve => setTimeout(resolve, 200)); + await obj2.save(); + await new Promise(resolve => setTimeout(resolve, 200)); + done(); + }); + afterEach(async function (done) { const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient(); client.close();
src/LiveQuery/ParseLiveQueryServer.js+7 −5 modified@@ -30,10 +30,11 @@ class ParseLiveQueryServer { // The subscriber we use to get object update from publisher subscriber: Object; - constructor(server: any, config: any = {}) { + constructor(server: any, config: any = {}, parseServerConfig: any = {}) { this.server = server; this.clients = new Map(); this.subscriptions = new Map(); + this.config = config; config.appId = config.appId || Parse.applicationId; config.masterKey = config.masterKey || Parse.masterKey; @@ -54,13 +55,15 @@ class ParseLiveQueryServer { // The cache controller is a proper cache controller // with access to User and Roles - this.cacheController = getCacheController(config); + this.cacheController = getCacheController(parseServerConfig); + + config.cacheTimeout = config.cacheTimeout || 5 * 1000; // 5s // This auth cache stores the promises for each auth resolution. // The main benefit is to be able to reuse the same user / session token resolution. this.authCache = new LRU({ max: 500, // 500 concurrent - maxAge: 60 * 60 * 1000, // 1h + maxAge: config.cacheTimeout, }); // Initialize websocket server this.parseWebSocketServer = new ParseWebSocketServer( @@ -510,12 +513,11 @@ class ParseLiveQueryServer { // There was an error with the session token const result = {}; if (error && error.code === Parse.Error.INVALID_SESSION_TOKEN) { - // Store a resolved promise with the error for 10 minutes result.error = error; this.authCache.set( sessionToken, Promise.resolve(result), - 60 * 10 * 1000 + this.config.cacheTimeout ); } else { this.authCache.del(sessionToken);
src/Options/Definitions.js+1 −1 modified@@ -478,7 +478,7 @@ module.exports.LiveQueryServerOptions = { cacheTimeout: { env: 'PARSE_LIVE_QUERY_SERVER_CACHE_TIMEOUT', help: - "Number in milliseconds. When clients provide the sessionToken to the LiveQuery server, the LiveQuery server will try to fetch its ParseUser's objectId from parse server and store it in the cache. The value defines the duration of the cache. Check the following Security section and our protocol specification for details, defaults to 30 * 24 * 60 * 60 * 1000 ms (~30 days).", + "Number in milliseconds. When clients provide the sessionToken to the LiveQuery server, the LiveQuery server will try to fetch its ParseUser's objectId from parse server and store it in the cache. The value defines the duration of the cache. Check the following Security section and our protocol specification for details, defaults to 5 * 1000 ms (5 seconds).", action: parsers.numberParser('cacheTimeout'), }, keyPairs: {
src/Options/docs.js+1 −1 modified@@ -100,7 +100,7 @@ /** * @interface LiveQueryServerOptions * @property {String} appId This string should match the appId in use by your Parse Server. If you deploy the LiveQuery server alongside Parse Server, the LiveQuery server will try to use the same appId. - * @property {Number} cacheTimeout Number in milliseconds. When clients provide the sessionToken to the LiveQuery server, the LiveQuery server will try to fetch its ParseUser's objectId from parse server and store it in the cache. The value defines the duration of the cache. Check the following Security section and our protocol specification for details, defaults to 30 * 24 * 60 * 60 * 1000 ms (~30 days). + * @property {Number} cacheTimeout Number in milliseconds. When clients provide the sessionToken to the LiveQuery server, the LiveQuery server will try to fetch its ParseUser's objectId from parse server and store it in the cache. The value defines the duration of the cache. Check the following Security section and our protocol specification for details, defaults to 5 * 1000 ms (5 seconds). * @property {Any} keyPairs A JSON object that serves as a whitelist of keys. It is used for validating clients when they try to connect to the LiveQuery server. Check the following Security section and our protocol specification for details. * @property {String} logLevel This string defines the log level of the LiveQuery server. We support VERBOSE, INFO, ERROR, NONE, defaults to INFO. * @property {String} masterKey This string should match the masterKey in use by your Parse Server. If you deploy the LiveQuery server alongside Parse Server, the LiveQuery server will try to use the same masterKey.
src/Options/index.js+1 −1 modified@@ -260,7 +260,7 @@ export interface LiveQueryServerOptions { keyPairs: ?any; /* Number of milliseconds between ping/pong frames. The WebSocket server sends ping/pong frames to the clients to keep the WebSocket alive. This value defines the interval of the ping/pong frame from the server to clients, defaults to 10 * 1000 ms (10 s).*/ websocketTimeout: ?number; - /* Number in milliseconds. When clients provide the sessionToken to the LiveQuery server, the LiveQuery server will try to fetch its ParseUser's objectId from parse server and store it in the cache. The value defines the duration of the cache. Check the following Security section and our protocol specification for details, defaults to 30 * 24 * 60 * 60 * 1000 ms (~30 days).*/ + /* Number in milliseconds. When clients provide the sessionToken to the LiveQuery server, the LiveQuery server will try to fetch its ParseUser's objectId from parse server and store it in the cache. The value defines the duration of the cache. Check the following Security section and our protocol specification for details, defaults to 5 * 1000 ms (5 seconds).*/ cacheTimeout: ?number; /* This string defines the log level of the LiveQuery server. We support VERBOSE, INFO, ERROR, NONE, defaults to INFO.*/ logLevel: ?string;
src/ParseServer.js+10 −4 modified@@ -298,7 +298,8 @@ class ParseServer { if (options.startLiveQueryServer || options.liveQueryServerOptions) { this.liveQueryServer = ParseServer.createLiveQueryServer( server, - options.liveQueryServerOptions + options.liveQueryServerOptions, + options ); } /* istanbul ignore next */ @@ -324,16 +325,21 @@ class ParseServer { * Helper method to create a liveQuery server * @static * @param {Server} httpServer an optional http server to pass - * @param {LiveQueryServerOptions} config options fot he liveQueryServer + * @param {LiveQueryServerOptions} config options for the liveQueryServer + * @param {ParseServerOptions} options options for the ParseServer * @returns {ParseLiveQueryServer} the live query server instance */ - static createLiveQueryServer(httpServer, config: LiveQueryServerOptions) { + static createLiveQueryServer( + httpServer, + config: LiveQueryServerOptions, + options: ParseServerOptions + ) { if (!httpServer || (config && config.port)) { var app = express(); httpServer = require('http').createServer(app); httpServer.listen(config.port); } - return new ParseLiveQueryServer(httpServer, config); + return new ParseLiveQueryServer(httpServer, config, options); } static verifyServerUrl(callback) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2xm2-xj2q-qgpjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15270ghsaADVISORY
- github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpjghsax_refsource_CONFIRMWEB
- npmjs.com/parse-servermitrex_refsource_MISC
News mentions
0No linked articles in our index yet.