CVE-2022-31112

HIGH

Parse Server - Info Disclosure

Title source: llm

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

References (6)

[Third Party Advisory] https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh

[Issue Tracking, Patch, Release Notes, Third Party Advisory] https://github.com/parse-community/parse-server/issues/8073

[Patch, Release Notes, Third Party Advisory] https://github.com/parse-community/parse-server/pull/8074

[Patch, Third Party Advisory] https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1

[Patch, Third Party Advisory] https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6

View Patch ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/parse-community/parse-server/releases/tag/5.2.4

Scores

CVSS v3 8.2

EPSS 0.0060

EPSS Percentile 69.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-212 CWE-200

Status published

Products (2)

npm/parse-server 0 - 4.10.13npm

parseplatform/parse-server < 4.10.13

Published Jun 30, 2022

Tracked Since Feb 18, 2026