Parse Server is an open-source backend platform that supports real-time data synchronization via LiveQuery subscriptions. In versions prior to 8.6.54 and 9.6.0-alpha.43, a vulnerability exists where an attacker can subscribe to LiveQuery events with a watch parameter targeting protected fields. Protected fields are intended to be hidden from clients, and their values are stripped from event payloads to prevent unauthorized disclosure. However, the vulnerability arises because the system still emits update events indicating whether a protected field changed. This creates an observable discrepancy, effectively a binary oracle, where the attacker can infer if the protected field was updated or not. For boolean protected fields, the timing and presence of these update events directly correlate to the field's value, allowing an attacker to deduce sensitive information without accessing the actual data. The flaw is classified under CWE-203 (Observable Discrepancy) and has a CVSS 4.0 base score of 6.3, reflecting a medium severity level. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The vulnerability does not affect confidentiality directly by exposing data values but leaks information through side-channel timing and event presence. The issue was addressed by the parse-community team in versions 8.6.54 and 9.6.0-alpha.43 by eliminating this side-channel leakage in LiveQuery event handling.

The primary impact of this vulnerability is an information disclosure through side-channel analysis. Attackers can infer changes to protected fields, potentially revealing sensitive boolean flags or state indicators that should remain confidential. This can undermine data privacy and enable further targeted attacks or reconnaissance. Since parse-server is used globally by many organizations for backend services, especially those leveraging real-time features, the vulnerability could expose sensitive application logic or user data indirectly. Although the vulnerability does not allow direct data extraction or modification, the binary oracle can facilitate privilege escalation or bypass of access controls if combined with other weaknesses. The lack of authentication requirement and remote exploitability increase the risk profile. Organizations relying on affected parse-server versions may face risks to confidentiality and trustworthiness of their backend data synchronization mechanisms.

The most effective mitigation is to upgrade parse-server to version 8.6.54 or later, or 9.6.0-alpha.43 or later, where the vulnerability is patched. For organizations unable to upgrade immediately, consider disabling LiveQuery subscriptions on protected fields or restricting LiveQuery access to trusted users and networks to reduce exposure. Implement network-level controls such as firewall rules or API gateways to limit access to parse-server endpoints. Monitor LiveQuery event logs for unusual subscription patterns targeting protected fields. Review application logic to minimize reliance on boolean protected fields that could leak sensitive state information. Engage in threat modeling to understand how inferred information could be leveraged in your environment. Finally, maintain up-to-date dependency management and vulnerability scanning to detect and remediate such issues promptly.