Parse Server NoSQL Injection Vulnerability in Password Reset and Email Verification Endpoints

A NoSQL injection vulnerability has been identified in Parse Server versions prior to 8.6.14 and 9.5.2-alpha.1. This vulnerability allows an unauthenticated attacker to inject MongoDB query operators through the token field in the password reset and email verification resend endpoints. The injected token value is sent to database queries without proper type validation, enabling the extraction of password reset and email verification tokens. Affected deployments are those using MongoDB with email verification or password reset features enabled. Notably, if the email verification token reuse if valid option is configured, the extracted email verification token can be used to verify a user's email address without access to their inbox.

Impact

Exploitation of this vulnerability could lead to unauthorized access to password reset and email verification tokens, allowing for manipulation of user email verification statuses and potentially unauthorized password reset actions.

Remediation

Users can upgrade to Parse Server versions 8.6.14 or 9.5.2-alpha.1 to address this vulnerability.