5.4
CVE-2026-34574
- EPSS 0.21%
- Veröffentlicht 31.03.2026 15:08:31
- Zuletzt bearbeitet 02.04.2026 17:23:16
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginParse Server: Session field immutability bypass via falsy-value guard
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.69
Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.7.0
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha1 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha10 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha11 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha12 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha13 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha2 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha3 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha4 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha5 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha6 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha7 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha8 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.7.0 Updatealpha9 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.11 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
| security-advisories@github.com | 5.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-697 Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22
https://github.com/parse-community/parse-server/pull/10347
https://github.com/parse-community/parse-server/pull/10348
https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21
https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777