Parse Server Role Escalation and CLP Bypass Vulnerability

A vulnerability in Parse Server has been identified, allowing direct access to internal tables that manage Relation field mappings, such as role memberships. This issue affects Parse Server versions 9.0.0 prior to 9.5.2-alpha.7 and versions prior to 8.6.20. The vulnerability can be exploited through the REST API or GraphQL API by any client using only the application key, without the need for a master key. An attacker can create, read, update, or delete records in any internal relationship table. This exploitation enables the attacker to inject themselves into any Parse Role, acquiring all associated permissions, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Additionally, writing to any table that supports a Relation field used in a 'pointerFields' CLP can bypass that access control.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal relationship tables, leading to unauthorized role escalation and bypassing of Class-Level Permissions (CLP) controls.

Remediation

Users can upgrade to Parse Server versions 9.5.2-alpha.7 or 8.6.20 to address this vulnerability.