Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6n48-nv1g-6uc2
Vulnerability ID VCID-6n48-nv1g-6uc2
Aliases CVE-2022-39225
GHSA-6w4q-23cf-j9jp
GMS-2022-4383
Summary parse-server's session object properties can be updated by foreign user if object ID is known ### Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. Note that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity. The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user. While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID, even though the attacker would not know to which user a successfully guessed session object ID belongs. ### Patches The fix prevents writing to foreign session objects, even if the session object ID is known. ### Workarounds Add a `beforeSave` trigger to the `_Session` class and prevent writing if the requesting user is different from the user in the session object. ### References - GitHub advisory [GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-276 Incorrect Default Permissions
CWE-669 Incorrect Resource Transfer Between Spheres
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00221 https://api.first.org/data/v1/epss?cve=CVE-2022-39225
epss 0.00221 https://api.first.org/data/v1/epss?cve=CVE-2022-39225
epss 0.00221 https://api.first.org/data/v1/epss?cve=CVE-2022-39225
epss 0.00221 https://api.first.org/data/v1/epss?cve=CVE-2022-39225
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-6w4q-23cf-j9jp
cvssv3.1 4.3 https://github.com/parse-community/parse-server
generic_textual MODERATE https://github.com/parse-community/parse-server
cvssv3.1 4.3 https://github.com/parse-community/parse-server/commit/37fed3062ccc3ef1dfd49a9fc53318e72b3e4aff
generic_textual MODERATE https://github.com/parse-community/parse-server/commit/37fed3062ccc3ef1dfd49a9fc53318e72b3e4aff
cvssv3.1 4.3 https://github.com/parse-community/parse-server/releases/tag/4.10.15
generic_textual MODERATE https://github.com/parse-community/parse-server/releases/tag/4.10.15
cvssv3.1 4.3 https://github.com/parse-community/parse-server/releases/tag/5.2.6
generic_textual MODERATE https://github.com/parse-community/parse-server/releases/tag/5.2.6
cvssv3.1 4.3 https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
cvssv3.1_qr MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
generic_textual MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2022-39225
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-39225
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-39225
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/commit/37fed3062ccc3ef1dfd49a9fc53318e72b3e4aff
https://github.com/parse-community/parse-server/releases/tag/4.10.15
https://github.com/parse-community/parse-server/releases/tag/5.2.6
https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
https://nvd.nist.gov/vuln/detail/CVE-2022-39225
GHSA-6w4q-23cf-j9jp https://github.com/advisories/GHSA-6w4q-23cf-j9jp
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server/commit/37fed3062ccc3ef1dfd49a9fc53318e72b3e4aff
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server/releases/tag/4.10.15
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server/releases/tag/5.2.6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:57:18Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-39225
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.44763
EPSS Score 0.00221
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:45:36.939267+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-6w4q-23cf-j9jp/GHSA-6w4q-23cf-j9jp.json 38.6.0