CVE-2022-31112: Protected fields exposed via LiveQuery
8.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.66925%
CWE
Published
7/6/2022
Updated
7/24/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
parse-server | npm | < 4.10.13 | 4.10.13 |
parse-server | npm | >= 5.0.0, < 5.2.4 | 5.2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing protected field filtering in LiveQuery event handling. Key indicators: 1) The patch added a new _filterSensitiveData
method to handle field removal 2) Modified event handlers to call this filtering 3) DatabaseController
changes show schema handling improvements 4) Test case specifically checks protected field stripping. The original code only had ad-hoc sessionToken
/authData
removal but lacked systematic protected field handling via schema definitions, allowing exposure of any fields marked protected in class-level permissions.