Parse Server is an open-source backend platform that supports LiveQuery subscriptions for real-time data updates. In affected versions prior to 8.6.54 and between 9.0.0 and 9.6.0-alpha.43, an attacker can exploit a vulnerability classified under CWE-203 (Observable Discrepancy) by subscribing to LiveQuery with a watch parameter targeting protected fields. Protected fields are designed to be hidden from event payloads to prevent unauthorized data disclosure. However, while the actual values of these fields are stripped from the event data, the system still emits update events when these fields change. This behavior creates a side-channel or binary oracle where the attacker can infer whether a protected field has changed based on the presence or absence of update notifications. For boolean protected fields, the timing and occurrence of these events directly correlate to the field's value, effectively leaking sensitive information. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The flaw was addressed and patched in parse-server versions 8.6.54 and 9.6.0-alpha.43 by modifying how update events are emitted for protected fields, eliminating this side-channel leakage.

This vulnerability can lead to unauthorized disclosure of sensitive information stored in protected fields within parse-server databases. Attackers can remotely infer changes to protected data, potentially revealing confidential boolean flags or other sensitive state indicators. Although the actual data values are not directly exposed, the side-channel leakage can be leveraged to gain insights into protected data changes, which could facilitate further targeted attacks or data inference. Organizations relying on parse-server for backend services, especially those handling sensitive user data or business logic flags, may face confidentiality breaches. The vulnerability does not allow direct data modification or denial of service but compromises data confidentiality through information leakage. Given parse-server's use in various applications worldwide, this could impact a broad range of industries including mobile app backends, IoT platforms, and SaaS providers.

The primary mitigation is to upgrade parse-server to version 8.6.54 or later, or 9.6.0-alpha.43 or later, where the vulnerability is patched. Until upgrades can be applied, organizations should consider disabling LiveQuery subscriptions on protected fields or implementing additional access controls to restrict subscription capabilities to trusted users only. Monitoring LiveQuery event patterns for anomalous subscription behavior may help detect exploitation attempts. Additionally, reviewing application logic to minimize reliance on boolean protected fields that could be inferred via timing analysis can reduce risk. Employing network-level protections such as rate limiting and anomaly detection on LiveQuery endpoints can further mitigate exploitation likelihood. Finally, organizations should audit their parse-server configurations and logs to identify any suspicious subscription activity targeting protected fields.