GHSA-97pr-9hgg-3p8r: parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change

A Parse Server LiveQuery subscriber can receive object field values they are not authorized to read when a single save changes both an object field and the subscriber’s ACL read access to that object. When such a save removes the subscriber’s read access, the resulting leave event still carries the post-update object body, disclosing the new field values the subscriber is no longer permitted to read. The symmetric case applies to the enter event: when a save grants read access, the event includes the pre-grant object state the subscriber was not previously permitted to read. The disclosure is bounded to the single object affected by that save and is delivered only to the subscriber whose access changed. Applications that combine content changes with access-control changes in the same save on LiveQuery-enabled classes are affected.