Login Sign Up

CVE-2021-41109

7.5 HIGH
Authentication Bypass

📋 TL;DR

Parse Server versions before 4.10.4 expose user session tokens in LiveQuery payloads when users subscribe to Parse.User class updates. This allows attackers to capture session tokens during user sign-ups, potentially enabling account takeover. All Parse Server deployments using LiveQuery with vulnerable versions are affected.

💻 Affected Systems

Products:
  • Parse Server
Versions: All versions before 4.10.4
Operating Systems: Any OS running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using LiveQuery feature with Parse.User class subscriptions.

📦 What is this software?

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers capture session tokens and gain unauthorized access to user accounts, leading to data theft, privilege escalation, and complete system compromise.

🟠

Likely Case

Session tokens are exposed in LiveQuery traffic, allowing attackers with network access to intercept and hijack user sessions.

🟢

If Mitigated

With proper network segmentation and access controls, exposure is limited to authorized internal systems only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires network access to LiveQuery traffic and user subscription to Parse.User class.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.4

Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-7pr3-p5fm-8r9x

Restart Required: Yes

Instructions:

1. Update Parse Server to version 4.10.4 or later using npm: npm update parse-server. 2. Restart the Parse Server application. 3. Verify the update with parse-server --version.

🔧 Temporary Workarounds

Set user ACL on sign-up

all

Make new users private immediately on sign-up by setting empty ACL in beforeSave trigger

user.acl(new Parse.ACL())

🧯 If You Can't Patch

  • Disable LiveQuery feature entirely if not required
  • Implement network segmentation to isolate LiveQuery traffic and restrict access

🔍 How to Verify

Check if Vulnerable:

Check Parse Server version: parse-server --version. If version is below 4.10.4 and LiveQuery is enabled, system is vulnerable.

Check Version:

parse-server --version

Verify Fix Applied:

Verify version is 4.10.4 or higher and test that session tokens are not present in LiveQuery payloads for Parse.User subscriptions.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected session token values in LiveQuery logs
  • Multiple user session creations from single IP

Network Indicators:

  • Session tokens in LiveQuery WebSocket traffic
  • Unauthorized access attempts using captured tokens

SIEM Query:

source="parse-server" AND "LiveQuery" AND "sessionToken"

📊 Metadata

CVE ID: CVE-2021-41109
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: September 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41109, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)