Parse Server is an open-source backend framework that supports social authentication via adapters for Google, Apple, and Facebook, which rely on JWT (JSON Web Token) verification to validate identity tokens. In versions prior to 8.6.10 and 9.5.0-alpha.11, these adapters do not enforce audience claim validation if the audience configuration option (clientId for Google/Apple, appIds for Facebook) is left unset. The audience claim in a JWT specifies the intended recipient application. Skipping this validation means that a JWT issued for one application can be accepted by another, enabling an attacker to authenticate as any user on the target Parse Server by presenting a valid JWT from a different app. This is a classic CWE-287 improper authentication vulnerability, as the server fails to properly verify the token's intended audience, undermining identity assurance. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network. The issue has been addressed by enforcing audience claim validation in the patched versions 8.6.10 and 9.5.0-alpha.11.

This vulnerability allows attackers to bypass authentication controls and impersonate arbitrary users on affected Parse Server instances. The attacker can gain unauthorized access to user accounts, potentially exposing sensitive personal data, modifying user data, or performing actions on behalf of victims. This can lead to data breaches, privilege escalation, and compromise of application integrity. Since Parse Server is widely used for mobile and web backends, organizations relying on social login integrations are at risk of unauthorized access and account takeover. The lack of audience validation undermines trust in the authentication process, increasing the risk of identity spoofing attacks. The vulnerability’s critical severity and ease of exploitation make it a significant threat to confidentiality and integrity of affected systems.

Organizations should immediately upgrade parse-server to version 8.6.10 or later, or 9.5.0-alpha.11 or later, where the audience claim validation is enforced. Until upgrades can be applied, administrators should explicitly configure the audience option (clientId/appIds) in the authentication adapters to ensure JWT tokens are validated against the correct audience. Additionally, monitoring authentication logs for unusual token usage patterns or unexpected user logins can help detect exploitation attempts. Implementing multi-factor authentication (MFA) at the application level can provide an additional security layer. Developers should review all social authentication configurations to ensure proper validation parameters are set. Regular vulnerability scanning and penetration testing focusing on authentication flows are recommended to detect similar issues.