Parse Server allows an authenticated user to overwrite server-generated session fields sessionToken, expiresAt and createdWith when creating a session via POST /classes/_Session. This vulnerability permits the attacker to set an arbitrary far-future expiration date, thereby bypassing the server's session expiration policy, and to assign a predictable session token value. The impact is a potential extension of session lifetime, which can undermine authentication controls and increase the window for session hijacking. This weakness is classified as CWE‑915: Improper Termination of Session.

Affected product: parse-community:parse-server. Versions prior to 9.6.0-alpha.17 and 8.6.42 are vulnerable. The issue affects all releases listed in the CPE entries up to 9.6.0-alpha.16 and earlier 8.6.41 and below. System administrators should verify their installed version against the supplied CPE strings to determine exposure.

The CVSS score is 4.3, indicating moderate severity. The EPSS score is less than 1%, and the vulnerability is not currently marked in CISA's KEV catalog. Exploitation requires an authenticated user with permission to create a session. The attacker must send a POST request to /classes/_Session including the fields sessionToken, expiresAt and createdWith. Because the API accepts these values when the server is running a vulnerable version, an attacker can easily bypass expiration controls and set a predictable token, which can be leveraged for prolonged unauthorized access. Administrative effort to mitigate is low, but if an attacker establishes a long-lived session, they could abuse the privileges associated with that session for an extended period.