Parse Server is an open-source backend platform that supports real-time data synchronization through LiveQuery subscriptions. In affected versions prior to 9.5.2-alpha.3 and 8.6.16, a critical authorization flaw exists where class-level permissions (CLP) are not enforced for LiveQuery subscriptions. CLP is intended to restrict access to data classes based on user roles or permissions. However, due to this vulnerability, any client—whether authenticated or not—can subscribe to LiveQuery-enabled classes and receive real-time event notifications for all objects within those classes, regardless of the CLP restrictions. This results in unauthorized disclosure of sensitive data in real time. The vulnerability stems from improper enforcement of authorization checks during the subscription process, effectively bypassing security controls designed to protect data confidentiality. Exploitation requires no privileges or user interaction and can be performed remotely over the network. The vulnerability affects all parse-server deployments using LiveQuery with CLP enabled, making it widespread. The issue was addressed and fixed in parse-server versions 9.5.2-alpha.3 and 8.6.16 by enforcing proper CLP checks during LiveQuery subscription handling. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality and the ease of exploitation without authentication or user interaction. No known exploits have been reported in the wild yet, but the potential for data leakage is significant.

This vulnerability can lead to significant data confidentiality breaches for organizations using parse-server with LiveQuery and class-level permissions. Unauthorized clients can gain real-time access to sensitive or restricted data streams, potentially exposing personal information, business-critical data, or intellectual property. The real-time nature of LiveQuery exacerbates the impact by allowing continuous data leakage as events occur. This can undermine trust in applications, violate data privacy regulations, and lead to compliance failures. Attackers could use this access to gather intelligence, conduct further attacks, or cause reputational damage. Since no authentication or user interaction is required, exploitation can be automated and scaled easily. Organizations relying on parse-server for backend services in industries such as finance, healthcare, social media, and IoT are particularly at risk. The widespread use of parse-server in cloud and self-hosted environments globally means the threat has a broad scope. Although no exploits are currently known in the wild, the high CVSS score and nature of the flaw make it a critical risk that demands immediate remediation.

Organizations should immediately upgrade parse-server deployments to versions 9.5.2-alpha.3 or 8.6.16 or later, where the vulnerability is fixed. Until upgrades are possible, administrators should consider disabling LiveQuery subscriptions or restricting access to trusted networks and clients only. Implement network-level controls such as firewall rules and VPNs to limit exposure of parse-server endpoints. Review and audit existing LiveQuery usage and class-level permission configurations to identify potential data exposure. Employ monitoring and logging to detect unusual subscription activity or unauthorized access attempts. For environments where upgrading is delayed, consider implementing application-layer proxies or middleware that enforce CLP checks on LiveQuery subscriptions as a temporary workaround. Educate development teams about the risks of exposing real-time data without proper authorization enforcement. Finally, maintain an incident response plan to quickly address any detected data leaks or unauthorized access stemming from this vulnerability.