Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.
Internal Parse Server tables that store relation field mappings (e.g., role memberships) are not properly protected against external access (CWE-284 — improper access control). An attacker, possessing only the application key, can perform CRUD operations (create, read, update, delete) on any internal relation table. By doing so, they can inject any account into a selected role (Parse Role), assuming all associated permissions. Similarly, it is possible to bypass the pointerFields CLP mechanism by directly writing to the backing table of a given Relation field.
An attacker can grant themselves full read, write, and delete permissions to classes protected by Class-Level Permissions (CLP) based on roles, effectively taking control of the application's data. It is also possible to completely bypass other access control mechanisms based on pointer fields (pointerFields CLP).
Parse Server should be updated to version 9.5.2-alpha.7 (9.x branch) or 8.6.20 (8.x branch), in which the vulnerability has been fixed. Patches are available in the vendor's references on GitHub.
Parse Server (Parseplatform parse-server) in versions prior to 9.5.2-alpha.7 and prior to 8.6.20
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LParseplatform Parse Server
APPParseplatform9.5.2< 8.6.209.0.0 – 9.5.2 (bez)
Related vulnerabilities
Parse Server: obejście walidatorów Cloud Functions przez prototype chain
Parse Server — przejęcie konta przez manipulację zapytaniem (Auth Bypass)
Race condition w Parse Server — błędna walidacja tokenów OAuth2
SQL Injection w Parse Server (PostgreSQL) — operacje Increment na polach zagnieżdżonych
SQL Injection w Parse Server (PostgreSQL) — operacje Increment na zagnieżdżonych polach