Parse Server, Authentication Bypass, CVE-2025- (Moderate)

Listen to this Post

How this CVE works: This vulnerability resides in Parse Server’s user signup flow . The core issue is that the server incorrectly validates the `authData` object during user creation. Normally, signing up requires either a username/password combination or valid third-party authentication data (like from Facebook or Instagram). However, in affected versions, an attacker can send a request to create a new user with an empty `authData` object (e.g., authData: {}). The server treats this empty object as valid authentication data, bypassing the standard requirement for username/password or a legitimate third-party token. This allows an attacker to create a new user session and authenticate to the Parse Server without providing any credentials, effectively creating an account out of thin air, even if anonymous user creation is disabled. The fix patches this by ensuring that an empty `authData` is treated the same as missing authData, thus falling back to requiring standard credentials.

DailyCVE Form:

Platform: Parse Server
Version: <8.6.49 & >=9.0.0<9.6.0-alpha.29
Vulnerability: Empty authData Bypass
Severity: Moderate
Date: 2026-03-16

Prediction: Patched versions already released.

What Undercode Say:

Analytics:

  • Attack Vector: Remote, Unauthenticated
  • Exploit Complexity: Low
  • User Interaction: None
  • Affected Components: Signup Controller, AuthData Validator

Bash Commands & Code:

1. Check Parse Server Version:

npm list parse-server

2. Vulnerable Request (Example using cURL):

curl -X POST \
http://your-parse-server.com/parse/classes/_User \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "Content-Type: application/json" \
-d '{
"authData": {},
"username": "attacker_account",
"password": "any_password"
}'

Note: In some vulnerable versions, even `username` and `password` fields might be omitted.

3. Upgrade to Patched Version:

npm install [email protected]
or for 9.x track
npm install [email protected]

How Exploit:

  • An attacker sends a POST request to the `/classes/_User` (or /users) endpoint.
  • The request body contains an empty JSON object for the `authData` field.
  • The Parse Server, failing to validate that `authData` is actionable, processes the signup request as if it came from a valid third-party provider.
  • The server creates a new user session and returns a session token to the attacker, granting them authenticated access to the backend.

Protection from this CVE:

  1. Immediate Patch: Upgrade Parse Server to version `8.6.49` or `9.6.0-alpha.29` (or later) immediately.
  2. Cloud Code Workaround: If an immediate upgrade isn’t possible, implement a `beforeSave` trigger for the `_User` class to block signups with empty authData.
    Parse.Cloud.beforeSave(Parse.User, (request) => {
    const authData = request.object.get('authData');
    const hasUsername = request.object.get('username');
    const hasPassword = request.object.get('password');
    // If authData is an empty object and no username/password, block the signup
    if (authData && typeof authData === 'object' && Object.keys(authData).length === 0) {
    if (!hasUsername || !hasPassword) {
    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Signup requires credentials.');
    }
    }
    });
    

Impact:

Successful exploitation allows an unauthenticated, remote attacker to create a valid user session on the Parse Server. This leads to unauthorized access to the application’s backend, potentially allowing the attacker to view, create, modify, or delete data that the newly created user has permissions for, compromising the confidentiality and integrity of the application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top