Parse Server JWT Audience Validation Bypass Vulnerability in Authentication Adapters

A vulnerability exists in Parse Server authentication adapters for Google, Apple, and Facebook, prior to versions 8.6.10 and 9.5.0-alpha.11. The issue arises because JWT verification, used to validate identity tokens, skips audience claim validation when the audience configuration option is not set. This oversight allows an attacker to use a validly signed JWT from a different application to authenticate as any user on the target Parse Server. The vulnerability is exploitable on unpatched versions if the 'clientId' is not configured for Google or Apple. For Facebook Limited Login, the vulnerability exists regardless of configuration, as the adapter does not pass 'appIds' to JWT verification for audience validation.

Impact

Exploitation allows authentication as any user on the target Parse Server, using a validly signed JWT from a different application.

Remediation

Users can upgrade to Parse Server versions 8.6.10 or 9.5.0-alpha.11, where this vulnerability has been patched. For Google and Apple, ensure 'clientId' is set in the adapter configuration. For Facebook Limited Login, there is no workaround other than upgrading.