Parse Server is an open-source backend framework that supports real-time data synchronization through LiveQuery subscriptions. In affected versions prior to 8.6.65 and between 9.0.0 and 9.7.0-alpha.9, a race condition (CWE-362) exists due to improper synchronization when multiple clients subscribe concurrently to the same data class. The event handlers process each subscriber in parallel but use shared mutable objects to represent data. The sensitive data filter modifies these shared objects in-place to remove protected fields, but because of concurrent access, one subscriber's filtering can affect the data seen by others. This can cause unauthorized clients to receive sensitive fields or authentication data they should not access, or cause authorized clients to receive incomplete data. Similarly, afterEvent Cloud Code triggers that modify event data can leak changes across subscribers due to the same shared mutable state. This vulnerability compromises confidentiality and data integrity in real-time data delivery. The issue is resolved by introducing proper synchronization and isolation of subscriber data in parse-server versions 8.6.65 and 9.7.0-alpha.9. The CVSS 4.0 score is 8.2 (high), reflecting network exploitability without authentication or user interaction, and high confidentiality impact. No public exploits are known yet, but the vulnerability poses a significant risk in multi-client LiveQuery environments with protected fields or afterEvent triggers.

The vulnerability can lead to unauthorized disclosure of sensitive information, including protected fields and authentication data, to clients that should not have access. This breaches confidentiality and may expose user credentials or private data. Additionally, legitimate clients may receive incomplete or corrupted data, impacting data integrity and application reliability. Organizations relying on parse-server for real-time data synchronization with LiveQuery and using protected fields or afterEvent triggers are at risk of data leakage and trust erosion. Attackers can exploit this remotely without authentication or user interaction, increasing the threat surface. The impact is particularly severe for applications handling sensitive user information, financial data, or critical business processes. Exploitation could lead to compliance violations, reputational damage, and potential downstream attacks leveraging leaked authentication data.

Upgrade all parse-server deployments to version 8.6.65 or later, or 9.7.0-alpha.9 or later, where the race condition is patched. If immediate upgrading is not feasible, consider disabling LiveQuery subscriptions on classes with protected fields or afterEvent triggers to prevent concurrent access issues. Implement additional application-level access controls and data validation to detect and block unauthorized data exposure. Monitor logs for unusual LiveQuery subscription patterns or data anomalies that may indicate exploitation attempts. Conduct thorough testing of Cloud Code triggers to ensure they do not inadvertently share mutable state. Engage in secure coding practices to avoid shared mutable state in asynchronous event handlers. Finally, maintain up-to-date backups and incident response plans to quickly address any data breaches resulting from exploitation.