CVE-2022-31112 – Parse Server LiveQuery improperly exposes prote... (How to Fix)

Q: What is the severity of CVE-2022-31112?

CVE-2022-31112 has a CVSS score of 8.2 (HIGH). Parse Server LiveQuery improperly exposes protected fields to clients, allowing unauthorized access to sensitive data. This affects all Parse Server deployments using LiveQuery functionality with protected fields defined. Users running affected versions are vulnerable to information disclosure.

📋 TL;DR

Parse Server LiveQuery improperly exposes protected fields to clients, allowing unauthorized access to sensitive data. This affects all Parse Server deployments using LiveQuery functionality with protected fields defined. Users running affected versions are vulnerable to information disclosure.

💻 Affected Systems

Products:

Parse Server

Versions: All versions before 5.2.4

Operating Systems: Any OS running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using LiveQuery functionality with protected fields defined in Parse schemas.

📦 What is this software?

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Exposure of sensitive protected fields like passwords, API keys, or personal data to unauthorized clients, leading to data breaches and compliance violations.

🟠

Likely Case

Accidental exposure of protected fields containing business logic or configuration data that should remain server-side only.

🟢

If Mitigated

No data exposure if protected fields are properly filtered or if LiveQuery is disabled for sensitive classes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires client access to LiveQuery subscriptions but no special authentication beyond normal LiveQuery access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.4

Vendor Advisory: https://github.com/parse-community/parse-server/releases/tag/5.2.4

Restart Required: Yes

Instructions:

1. Update Parse Server to version 5.2.4 or later using npm: 'npm update parse-server' 2. Restart the Parse Server application 3. Verify the update with 'npm list parse-server'

🔧 Temporary Workarounds

Manual protected field filtering

all

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields from LiveQuery responses

Parse.Cloud.afterLiveQueryEvent('YourClassName', (request) => { delete request.object.get('protectedField'); });

🧯 If You Can't Patch

Disable LiveQuery for classes containing protected fields
Implement network segmentation to restrict LiveQuery client access

🔍 How to Verify

Check if Vulnerable:

Check if Parse Server version is below 5.2.4 and LiveQuery is enabled with protected fields defined.

Check Version:

npm list parse-server | grep parse-server

Verify Fix Applied:

After updating to 5.2.4+, test that protected fields are no longer visible in LiveQuery responses.

📡 Detection & Monitoring

Log Indicators:

Unusual LiveQuery subscription patterns to classes with protected fields
Increased data volume in LiveQuery responses

Network Indicators:

Clients accessing LiveQuery endpoints and receiving unexpected field data

SIEM Query:

source="parse-server" AND "LiveQuery" AND ("protected" OR "sensitive")

📊 Metadata

CVE ID: CVE-2022-31112

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-200

Published: June 30, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 Patch,Third Party Advisory
https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 Patch,Third Party Advisory
https://github.com/parse-community/parse-server/issues/8073 Issue Tracking,Patch,Release Notes,Third Party Advisory
https://github.com/parse-community/parse-server/pull/8074 Patch,Release Notes,Third Party Advisory
https://github.com/parse-community/parse-server/releases/tag/5.2.4 Release Notes,Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh Third Party Advisory
https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 Patch,Third Party Advisory
https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 Patch,Third Party Advisory
https://github.com/parse-community/parse-server/issues/8073 Issue Tracking,Patch,Release Notes,Third Party Advisory
https://github.com/parse-community/parse-server/pull/8074 Patch,Release Notes,Third Party Advisory
https://github.com/parse-community/parse-server/releases/tag/5.2.4 Release Notes,Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31112, you might also want to check these: