Parse Server is an open-source backend framework that runs on Node.js and is widely used for mobile and web applications. In versions prior to 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) fails to enforce the beforeFind and afterFind triggers. These triggers are designed to act as access control gates by allowing custom logic to validate or restrict access to files and their metadata. The absence of these checks on the metadata endpoint means that any user, including unauthenticated ones, can retrieve metadata information about files without authorization. This constitutes a missing authorization vulnerability categorized under CWE-862. The CVSS 4.0 base score is 6.3, reflecting a medium severity due to the ease of remote exploitation without authentication and the impact on confidentiality. However, the vulnerability does not affect file contents or system integrity, nor does it impact availability. The issue has been addressed in parse-server versions 8.6.9 and 9.5.0-alpha.9 by enforcing the appropriate triggers on the metadata endpoint, restoring intended access control mechanisms.

The primary impact of this vulnerability is unauthorized disclosure of file metadata, which may include file names, sizes, types, timestamps, or other descriptive attributes. While the file contents themselves remain protected, metadata can reveal sensitive information about the nature and existence of files, potentially aiding further reconnaissance or targeted attacks. Organizations relying on parse-server for backend services may inadvertently expose sensitive project or user data metadata to unauthorized parties. This can lead to privacy violations, information leakage, and compliance issues, especially in regulated industries. The vulnerability does not directly compromise data integrity or system availability, but the exposure of metadata can be leveraged in multi-stage attacks. Since exploitation requires no authentication and no user interaction, the attack surface is broad, increasing risk for publicly accessible parse-server deployments.

Organizations should immediately upgrade parse-server to version 8.6.9 or later, or 9.5.0-alpha.9 or later, where this vulnerability is patched. If upgrading is not immediately feasible, implement network-level access controls to restrict access to the file metadata endpoint to trusted users or internal networks only. Review and audit all beforeFind and afterFind triggers to ensure they are correctly applied and enforced across all relevant endpoints, including metadata retrieval. Employ logging and monitoring on file metadata access to detect unusual or unauthorized queries. Consider implementing additional application-layer authorization checks as a defense-in-depth measure. Finally, educate development teams about the importance of consistent trigger enforcement and authorization checks on all API endpoints to prevent similar issues.