Parse Server Denial-of-Service Vulnerability via Unconfigured Authentication Providers

A denial-of-service vulnerability has been identified in Parse Server, an open-source backend framework that runs on Node.js. This issue affects versions prior to 8.6.58 and 9.6.0-alpha.52. The vulnerability allows an unauthenticated attacker to disrupt service by sending authentication requests that include arbitrary, unconfigured provider names. Each unconfigured provider name triggers a database query, leading to a full collection scan on the user database, as no index exists for these providers. This exploitation can be parallelized to overwhelm database resources.

Impact

Exploitation of this vulnerability can lead to a significant degradation of database performance, causing a high availability impact by saturating database resources and potentially disrupting normal application operations.

Reproduction

The vulnerability can be reproduced by sending authentication requests to the Parse Server with unconfigured provider names. This can be done by using the 'X-Parse-Application-Id' and 'X-Parse-REST-API-Key' headers, along with a request body that includes 'authData' with the unconfigured provider name. The server will respond by rejecting the request after performing an unindexed database query for each unconfigured provider, allowing for the denial-of-service condition to be created.

Remediation

Users can upgrade to Parse Server versions 8.6.58 or 9.6.0-alpha.52 to address this vulnerability.