A flaw in Parse Server allows authenticated users with find class‑level permission to bypass the protectedFields setting on LiveQuery subscriptions. By crafting a subscription containing a logical operator ($or, $and, $nor) whose value is an array‑like object instead of a real array, the server incorrectly accepts the request and emits a subscription event that functions as a binary oracle. The attacker can deduce whether a protected field matches a chosen test value, effectively leaking information about sensitive fields.

The issue affects the open‑source Parse Server from the parse-community project. Vulnerable versions include all releases older than 8.6.70 and 9.7.0‑alpha.18, notably the alpha series (9.7.0‑alpha.1 through alpha.17). This includes deployments running on any infrastructure capable of executing Node.js.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires an authenticated user with find permission, and the attacker sends a LiveQuery subscription with the crafted operator. If successful, the attacker can perform repeated oracle queries to infer values of protected fields, leading to potential data leakage. Administrators should treat this as a risk that can be mitigated by updating the server or restricting permissions.