GHSA-97PR-9HGG-3P8R

GHSA-97PR-9HGG-3P8R is a low-severity security vulnerability in parse-server (npm), affecting versions >= 9.0.0, < 9.9.1-alpha.13. It is fixed in 9.9.1-alpha.13, 8.6.83.

Summary

Workarounds

Do not change an object's field values and a subscriber's ACL read access in the same save on LiveQuery-enabled classes; perform the access-control change in a separate save before or after the content change. Alternatively, limit which classes are enabled for LiveQuery.

Impact

A Parse Server LiveQuery subscriber can receive object field values they are not authorized to read when a single save changes both an object field and the subscriber's ACL read access to that object. When such a save removes the subscriber's read access, the resulting leave event still carries the post-update object body, disclosing the new field values the subscriber is no longer permitted to read. The symmetric case applies to the enter event: when a save grants read access, the event includes the pre-grant object state the subscriber was not previously permitted to read. The disclosure is bounded to the single object affected by that save and is delivered only to the subscriber whose access changed. Applications that combine content changes with access-control changes in the same save on LiveQuery-enabled classes are affected.

Affected versions

parse-server (>= 9.0.0, < 9.9.1-alpha.13) parse-server (<= 8.6.82)

Security releases

parse-server → 9.9.1-alpha.13 (npm) parse-server → 8.6.83 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Parse Server now verifies the subscriber's authorization for the specific object state included in leave and enter events. For a leave caused by the subscriber losing read access, the event delivers the last object state the subscriber was authorized to see instead of the post-update body. For an enter caused by the subscriber gaining read access, the previously unauthorized original object state is omitted. Events caused by a normal query-match change, where the subscriber keeps read access, are unaffected, as are master-key subscribers.

Frequently Asked Questions

  1. What is GHSA-97PR-9HGG-3P8R? GHSA-97PR-9HGG-3P8R is a low-severity security vulnerability in parse-server (npm), affecting versions >= 9.0.0, < 9.9.1-alpha.13. It is fixed in 9.9.1-alpha.13, 8.6.83.
  2. Which versions of parse-server are affected by GHSA-97PR-9HGG-3P8R? parse-server (npm) versions >= 9.0.0, < 9.9.1-alpha.13 is affected.
  3. Is there a fix for GHSA-97PR-9HGG-3P8R? Yes. GHSA-97PR-9HGG-3P8R is fixed in 9.9.1-alpha.13, 8.6.83. Upgrade to this version or later.
  4. Is GHSA-97PR-9HGG-3P8R exploitable, and should I be worried? Whether GHSA-97PR-9HGG-3P8R is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-97PR-9HGG-3P8R is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-97PR-9HGG-3P8R?
    • Upgrade parse-server to 9.9.1-alpha.13 or later
    • Upgrade parse-server to 8.6.83 or later

Other vulnerabilities in parse-server

CVE-2026-55778CVE-2026-53726CVE-2026-53725CVE-2026-53724CVE-2026-50008

Stop the waste.
Protect your environment with Kodem.