Parse Server session creation endpoint allows overwriting server-generated session fields

Impact

An authenticated user can overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session object via POST /classes/_Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.

Patches

The session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten.

Workarounds

Add a beforeSave trigger on the _Session class to validate and reject or strip any user-supplied values for sessionToken, expiresAt, and createdWith.

References

mtrezza published to parse-community/parse-server Mar 16, 2026

Published to the GitHub Advisory Database Mar 17, 2026

Reviewed Mar 17, 2026

Published by the National Vulnerability Database Mar 18, 2026

Last updated Mar 19, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVE ID

GHSA ID

Source code

Credits

Uh oh!