← voltar
CVE-2026-34574

Parse Server: Session field immutability bypass via falsy-value guard

CVSS 5.3 MEDIUMEPSS 0.2%CWE-697
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
31 mar 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Produtos afetados
parse-community · parse-server

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777https://github.com/parse-community/parse-server/pull/10347https://github.com/parse-community/parse-server/pull/10348https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22