Parse Server is an open-source backend framework that runs on Node.js and supports deployment on various infrastructures. It uses a master key system for administrative access, including a readOnlyMasterKey option designed to allow read-only access with master-level privileges while denying write operations. However, in versions prior to 8.6.4 and 9.4.1-alpha.3, certain API endpoints incorrectly accept the readOnlyMasterKey for mutating operations, violating the intended authorization model (CWE-863: Incorrect Authorization). This flaw enables an attacker who has obtained the readOnlyMasterKey to perform unauthorized write actions such as creating, modifying, or deleting Cloud Hooks and initiating Cloud Jobs. These capabilities can be leveraged to execute arbitrary code or scripts within the cloud environment, facilitating data exfiltration or further compromise. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 4.0 base score of 8.6 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation once the key is known. The issue has been addressed in parse-server versions 8.6.4 and 9.4.1-alpha.3 by correcting the authorization checks to properly restrict write operations when using the readOnlyMasterKey.

The vulnerability allows unauthorized modification of critical backend components such as Cloud Hooks and Cloud Jobs, which can lead to severe consequences including data leakage, unauthorized data manipulation, and potential full compromise of backend logic. Organizations relying on parse-server with the readOnlyMasterKey option are at risk of attackers escalating privileges beyond intended read-only access, undermining data confidentiality and integrity. This can disrupt application functionality and availability if malicious Cloud Jobs are triggered. The impact is particularly significant for applications handling sensitive or regulated data, as attackers could exfiltrate or alter data without detection. Since the exploit requires knowledge of the readOnlyMasterKey, the risk is elevated in environments where key management is weak or keys are exposed through other vulnerabilities or insider threats. The widespread use of parse-server in mobile and web applications globally increases the potential attack surface, making this a critical concern for developers and organizations using this backend technology.

1. Upgrade all parse-server deployments to version 8.6.4 or later (or 9.4.1-alpha.3 or later) immediately to apply the official patch that corrects authorization checks. 2. Audit and rotate all readOnlyMasterKey credentials to new values after patching to prevent reuse of potentially compromised keys. 3. Implement strict key management policies, including secure storage, limited distribution, and regular key rotation to reduce the risk of key exposure. 4. Monitor Cloud Hooks and Cloud Jobs activity logs for unusual or unauthorized changes or executions that could indicate exploitation attempts. 5. Employ network segmentation and access controls to limit exposure of parse-server endpoints to trusted networks and users only. 6. Conduct regular security assessments and penetration testing focusing on key management and authorization mechanisms within parse-server deployments. 7. Educate development and operations teams about the risks of improper key usage and the importance of applying security patches promptly.