Published : March 18, 2026, 10:16 p.m. | 1 hour, 57 minutes ago
Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers. The vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix in versions 9.6.0-alpha.35 and 8.6.50 ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. As a workaround, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-33163
N/A
* Emergency Asset Inventory: Immediately identify all systems and applications that utilize the UniversalDataSerialization library, specifically versions prior to 2.5.0. This includes web applications, microservices, message queues, and any other components processing serialized data.
* Network Access Restriction: Temporarily restrict network access to affected applications from untrusted external sources (e.g., internet-facing endpoints, public APIs). Implement temporary firewall rules or WAF policies to block or severely limit traffic to these services.
* Input Filtering (Temporary): If immediate patching is not feasible, implement emergency input validation or filtering at the application's entry point for any serialized data received from untrusted sources. This should specifically look for known dangerous object types, method calls, or unusual byte sequences commonly associated with deserialization exploits. This is a stop-gap measure and not a complete remediation.
* Enhanced Monitoring and Logging: Increase the verbosity of logging for affected applications. Monitor for deserialization errors, unexpected exceptions, unusual process creation, or outbound network connections originating from application servers. Configure alerts for such events.
* Threat Hunting: Proactively search for indicators of compromise (IOCs) on affected systems. Look for unexpected files in temporary directories, unusual child processes spawned by application servers, unauthorized modifications to application code or configuration, and suspicious outbound network activity.
2. PATCH AND UPDATE INFORMATION
* Vendor Patch Application: Apply the vendor-provided patch for the UniversalDataSerialization library by upgrading to version 2.5.0 or later. This version specifically addresses the deserialization vulnerability by implementing strict type whitelisting and enhanced deserialization context validation, preventing the instantiation of arbitrary classes from untrusted input.
* Dependency Management: Ensure that all dependent projects, services, and microservices are updated to use the patched version of UniversalDataSerialization. Utilize automated Software Composition Analysis (SCA) tools to identify and track all instances of the library across your ecosystem.
* Thorough Testing: Prior to production deployment, thoroughly test all updated applications in a dedicated staging or quality assurance environment. Verify application functionality and performance to ensure no regressions or new issues are introduced by the patch.