CVE-2022-39225

CVE-2022-39225 is a medium-severity security vulnerability in parse-server (npm), affecting versions < 4.10.15. It is fixed in 4.10.15, 5.2.6.

Summary

Workarounds

Add a beforeSave trigger to the _Session class and prevent writing if the requesting user is different from the user in the session object.

References

Impact

A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object.

Note that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity.

The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user.

While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID, even though the attacker would not know to which user a successfully guessed session object ID belongs.

CVE-2022-39225 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.10.15, 5.2.6); upgrading removes the vulnerable code path.

Affected versions

parse-server (< 4.10.15) parse-server (>= 5.0.0, < 5.2.6)

Security releases

parse-server → 4.10.15 (npm) parse-server → 5.2.6 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The fix prevents writing to foreign session objects, even if the session object ID is known.

Frequently Asked Questions

  1. What is CVE-2022-39225? CVE-2022-39225 is a medium-severity security vulnerability in parse-server (npm), affecting versions < 4.10.15. It is fixed in 4.10.15, 5.2.6.
  2. How severe is CVE-2022-39225? CVE-2022-39225 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of parse-server are affected by CVE-2022-39225? parse-server (npm) versions < 4.10.15 is affected.
  4. Is there a fix for CVE-2022-39225? Yes. CVE-2022-39225 is fixed in 4.10.15, 5.2.6. Upgrade to this version or later.
  5. Is CVE-2022-39225 exploitable, and should I be worried? Whether CVE-2022-39225 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-39225 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-39225?
    • Upgrade parse-server to 4.10.15 or later
    • Upgrade parse-server to 5.2.6 or later

Other vulnerabilities in parse-server

Stop the waste.
Protect your environment with Kodem.