Parse Server is an open-source backend platform that supports OAuth2 authentication via an adapter. In versions >= 9.0.0 and < 9.6.0-alpha.13, and >= 8.0.2 and < 8.6.39, the OAuth2 adapter contains a logic flaw classified as CWE-683 (Function Call With Incorrect Order of Arguments). When appidField and appIds are configured, the adapter incorrectly validates app IDs by sending a malformed value to the token introspection endpoint instead of the legitimate access token. The token introspection endpoint is responsible for validating OAuth2 tokens and returning token metadata. Because the malformed value is sent, the endpoint's behavior determines the impact: it may reject all OAuth2 logins, causing denial of service, or it may return valid-looking data for the malformed request, potentially allowing authentication from unauthorized app contexts. This means attackers could bypass app ID restrictions and gain unauthorized access. The vulnerability does not require authentication or user interaction but has a high attack complexity due to dependency on introspection endpoint behavior. The flaw affects only deployments using the OAuth2 adapter with appidField and appIds configured. The issue was addressed and fixed in parse-server versions 9.6.0-alpha.13 and 8.6.39. No known exploits are reported in the wild as of the publication date. The CVSS v4.0 base score is 6.3, reflecting medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact.

This vulnerability can have significant impacts on organizations using parse-server with the OAuth2 adapter configured with appidField and appIds. If the token introspection endpoint rejects malformed tokens, legitimate OAuth2 logins may fail, causing denial of service and impacting user access to applications. Conversely, if the introspection endpoint returns valid-looking data for malformed tokens, attackers could authenticate from unauthorized app contexts, potentially gaining unauthorized access to protected resources or user accounts. This can lead to unauthorized data access, privilege escalation, and compromise of application integrity. The impact is particularly critical for organizations relying on parse-server for backend authentication in sensitive or high-value applications. The medium severity rating reflects the conditional nature of the impact depending on the introspection endpoint's behavior and the specific configuration. However, the lack of required privileges or user interaction lowers the barrier for exploitation, increasing risk. Organizations with large user bases or critical services using affected parse-server versions are at risk of service disruption or unauthorized access, which could damage reputation, lead to data breaches, and regulatory non-compliance.

To mitigate this vulnerability, organizations should upgrade parse-server to versions 9.6.0-alpha.13 or 8.6.39 or later, where the issue is fixed. If immediate upgrade is not feasible, administrators should review and potentially disable the use of appidField and appIds configuration in the OAuth2 adapter to avoid triggering the flawed validation logic. Additionally, organizations should audit and harden the token introspection endpoint to strictly validate tokens and reject malformed requests without returning valid-looking data. Implementing strict input validation and logging on the introspection endpoint can help detect and prevent exploitation attempts. Monitoring authentication logs for unusual OAuth2 login failures or unexpected successful authentications from disallowed app contexts is recommended. Employing network-level protections such as IP whitelisting for introspection endpoint access and rate limiting can reduce attack surface. Finally, organizations should conduct thorough testing of OAuth2 authentication flows post-mitigation to ensure proper validation and functionality.