Parse Server HTTP Range Request Authorization Bypass Vulnerability

A vulnerability in Parse Server prior to versions 8.6.71 and 9.7.1-alpha.1 allows HTTP Range requests to bypass the afterFind(Parse.File) trigger and its associated validators on storage adapters that support streaming, such as the default GridFS adapter. This flaw enables unauthorized access to files that should be protected by the afterFind trigger's authorization logic or built-in validators like requireUser. The issue arises because the afterFind trigger is not executed before processing Range requests, leaving a gap in file access control.

Impact

Exploitation of this vulnerability allows unauthorized access to files through HTTP Range requests, bypassing crucial authorization triggers and validators, potentially leading to unauthorized file downloads.

Reproduction

To reproduce this vulnerability, upload a file and set up an afterFind trigger for Parse.File that requires user authorization. Then, send an HTTP Range request for the file without including a session token that verifies user authentication. The server will respond with the file data, ignoring the afterFind trigger's authorization requirements.

Remediation

Users can update to Parse Server versions 8.6.71 or 9.7.1-alpha.1, where this vulnerability has been patched. Alternatively, as a temporary workaround, the beforeFind(Parse.File) trigger can be used for file access authorization, as it applies to all download methods, including streaming.