Parse Server Request Keyword Denylist Bypass Vulnerability

A vulnerability in Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allows for bypassing the requestKeywordDenylist security control. This is achieved by placing any nested object or array before a prohibited keyword in the request payload. The issue arises from a logic bug that halts the scanning of sibling keys after the first nested value is encountered. This vulnerability affects all Parse Server deployments, as the requestKeywordDenylist is enabled by default. Additionally, any custom entries in the denylist configured by the developer can be bypassed using the same technique.

Impact

Exploiting this vulnerability allows for a moderate integrity impact by bypassing the requestKeywordDenylist, which is designed to prevent certain keywords from being processed in requests. This could lead to unauthorized data manipulation or interference with the application's logic.

Remediation

Users can update to Parse Server versions 8.6.12 or 9.5.1-alpha.1, where this vulnerability has been patched. Additionally, a Cloud Code beforeSave trigger can be used to validate incoming data for prohibited keywords across all classes.