Parse Server Authentication Bypass Vulnerability Allowing Credentialless Signups

An authentication bypass vulnerability has been identified in Parse Server versions 9.0.0 prior to 9.6.0-alpha.29 and in versions prior to 8.6.49. This vulnerability allows users to sign up without providing valid credentials by sending an empty 'authData' object. As a result, authenticated sessions can be created without proper credentials, even when anonymous user signups are disabled. The issue arises because the server does not properly validate the 'authData' before allowing new user registrations.

Impact

Exploitation of this vulnerability allows for the creation of authenticated user accounts without valid credentials, bypassing the username and password requirements. This could lead to unauthorized access to user-specific data or functionalities within the application.

Remediation

Users can update to Parse Server versions 9.6.0-alpha.29 or 8.6.49, where this vulnerability has been patched. Alternatively, a Cloud Code 'beforeSave' trigger can be implemented on the '_User' class to reject signups that do not include a username or password and have an empty 'authData'.