Parse Server Server-Side Request Forgery Vulnerability in File Upload Functionality

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Parse Server versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1. The vulnerability arises in the file upload feature, where Parse Server retrieves file data from a URI specified in the request. Although the server crashes upon receiving the response, the vulnerability could potentially be exploited to execute arbitrary requests to the provided URI.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery (SSRF), where an attacker can manipulate the server to make requests on their behalf, potentially leading to unauthorized access to internal resources or services.

Reproduction

To reproduce this vulnerability, upload a file to a Parse Server instance using the REST API. In the request, include a URI that points to a resource that the server can access. The server will attempt to download the file from the URI, but will crash upon receiving the response, demonstrating the vulnerability.

Remediation

Parse Server versions 7.5.4 and 8.4.0-alpha.2 have removed the vulnerable file upload feature that allowed SSRF. Users should update to these versions.