Parse Server is an open-source backend platform that supports Google authentication via JSON Web Tokens (JWT). Prior to versions 8.6.3 and 9.1.1-alpha.4, parse-server improperly handled JWT validation by trusting the 'alg' field in the JWT header. Specifically, it accepted tokens with 'alg: none', a known insecure algorithm that indicates no signature verification. This allowed attackers to craft forged Google authentication tokens that bypass signature verification and impersonate any user linked to a Google account. The vulnerability stems from CWE-327 (use of a broken or risky cryptographic algorithm) and CWE-345 (insufficient verification of data authenticity). Additionally, the Google adapter used a custom key fetcher that did not reject unknown key IDs, further weakening token validation. The fix hardcodes the expected RS256 algorithm, ensuring signature verification is enforced, and replaces the key fetcher with the 'jwks-rsa' library, which properly validates key IDs against Google's JSON Web Key Set. This vulnerability affects all parse-server deployments with Google authentication enabled running versions >=9.0.0 and <9.3.1-alpha.4, or versions below 8.6.3. Exploitation requires no authentication or user interaction, making it highly dangerous. No known exploits in the wild have been reported yet, but the critical severity and ease of exploitation make timely patching essential.

The vulnerability allows complete account takeover of any user linked to a Google account on affected parse-server deployments. Attackers can bypass authentication controls without credentials, compromising confidentiality by accessing sensitive user data and integrity by performing unauthorized actions on behalf of users. This can lead to data breaches, unauthorized transactions, privilege escalation, and lateral movement within affected environments. Since parse-server is used as a backend for various applications, the impact extends to all services relying on it for authentication. The lack of authentication or user interaction required for exploitation increases the risk of automated attacks and mass compromise. Organizations using Google authentication with parse-server are at significant risk of identity theft, data leakage, and service disruption until patched.

Organizations should immediately upgrade parse-server to version 8.6.3 or later, or 9.1.1-alpha.4 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, disable Google authentication temporarily to prevent exploitation. Review authentication logs for suspicious login attempts or anomalies indicative of token forgery. Implement additional monitoring and alerting on authentication events. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block JWT tokens with 'alg: none' or malformed tokens. Conduct a thorough audit of user accounts linked to Google authentication for unauthorized access. Educate developers and administrators on secure JWT handling and the risks of trusting JWT header algorithms. Finally, ensure that third-party libraries handling JWT validation are up to date and configured to reject insecure algorithms and unknown key IDs.