Listen to this Post
How this CVE works: This vulnerability resides in Parse Server’s user signup flow . The core issue is that the server incorrectly validates the `authData` object during user creation. Normally, signing up requires either a username/password combination or valid third-party authentication data (like from Facebook or Instagram). However, in affected versions, an attacker can send a request to create a new user with an empty `authData` object (e.g., authData: {}). The server treats this empty object as valid authentication data, bypassing the standard requirement for username/password or a legitimate third-party token. This allows an attacker to create a new user session and authenticate to the Parse Server without providing any credentials, effectively creating an account out of thin air, even if anonymous user creation is disabled. The fix patches this by ensuring that an empty `authData` is treated the same as missing authData, thus falling back to requiring standard credentials.
DailyCVE Form:
Platform: Parse Server
Version: <8.6.49 & >=9.0.0<9.6.0-alpha.29
Vulnerability: Empty authData Bypass
Severity: Moderate
Date: 2026-03-16
Prediction: Patched versions already released.
What Undercode Say:
Analytics:
- Attack Vector: Remote, Unauthenticated
- Exploit Complexity: Low
- User Interaction: None
- Affected Components: Signup Controller, AuthData Validator
Bash Commands & Code:
1. Check Parse Server Version:
npm list parse-server
2. Vulnerable Request (Example using cURL):
curl -X POST \
http://your-parse-server.com/parse/classes/_User \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "Content-Type: application/json" \
-d '{
"authData": {},
"username": "attacker_account",
"password": "any_password"
}'
Note: In some vulnerable versions, even `username` and `password` fields might be omitted.
3. Upgrade to Patched Version:
npm install [email protected] or for 9.x track npm install [email protected]
How Exploit:
- An attacker sends a POST request to the `/classes/_User` (or
/users) endpoint. - The request body contains an empty JSON object for the `authData` field.
- The Parse Server, failing to validate that `authData` is actionable, processes the signup request as if it came from a valid third-party provider.
- The server creates a new user session and returns a session token to the attacker, granting them authenticated access to the backend.
Protection from this CVE:
- Immediate Patch: Upgrade Parse Server to version `8.6.49` or `9.6.0-alpha.29` (or later) immediately.
- Cloud Code Workaround: If an immediate upgrade isn’t possible, implement a `beforeSave` trigger for the `_User` class to block signups with empty
authData.Parse.Cloud.beforeSave(Parse.User, (request) => { const authData = request.object.get('authData'); const hasUsername = request.object.get('username'); const hasPassword = request.object.get('password'); // If authData is an empty object and no username/password, block the signup if (authData && typeof authData === 'object' && Object.keys(authData).length === 0) { if (!hasUsername || !hasPassword) { throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Signup requires credentials.'); } } });
Impact:
Successful exploitation allows an unauthenticated, remote attacker to create a valid user session on the Parse Server. This leads to unauthorized access to the application’s backend, potentially allowing the attacker to view, create, modify, or delete data that the newly created user has permissions for, compromising the confidentiality and integrity of the application.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

