Parse Server is an open-source backend framework that runs on Node.js and supports GraphQL subscriptions via a WebSocket endpoint. In affected versions prior to 8.6.40 and 9.6.0-alpha.14, the WebSocket endpoint for GraphQL subscriptions does not pass incoming requests through the Express middleware chain. This middleware chain typically enforces critical security controls such as authentication, introspection control, and query complexity limits. Due to this omission, an attacker can connect directly to the WebSocket endpoint and perform GraphQL operations without providing any valid application or API key. Furthermore, the attacker can access the GraphQL schema through introspection queries even if public introspection is disabled, exposing the internal schema details. Additionally, the attacker can submit arbitrarily complex queries that bypass configured complexity limits, potentially leading to resource exhaustion or denial of service. The vulnerability stems from missing authentication checks (CWE-306) on a critical function, allowing unauthorized access to backend data and operations. The issue is resolved in parse-server versions 8.6.40 and 9.6.0-alpha.14 by ensuring the WebSocket endpoint enforces the same middleware protections as other endpoints.

This vulnerability allows unauthenticated remote attackers to access sensitive backend data and functionality via the GraphQL WebSocket endpoint. Confidentiality is compromised as attackers can perform introspection queries to learn the schema and potentially extract sensitive data. Integrity could be impacted if attackers execute mutations or operations that modify data without authorization. Availability is at risk due to the ability to send arbitrarily complex queries that bypass complexity limits, potentially causing resource exhaustion and denial of service. Since no authentication or user interaction is required, exploitation can be automated and performed at scale. Organizations using affected parse-server versions risk data breaches, unauthorized data manipulation, and service disruption. The impact is particularly severe for applications exposing sensitive or critical data through GraphQL subscriptions.

The primary mitigation is to upgrade parse-server to version 8.6.40 or later, or 9.6.0-alpha.14 or later, where the vulnerability is patched. Until upgrading is possible, organizations should restrict network access to the GraphQL WebSocket endpoint using firewall rules or network segmentation to limit exposure to trusted clients only. Implement additional application-layer access controls or reverse proxies that enforce authentication and query complexity limits on WebSocket connections. Monitor WebSocket traffic for unusual or excessive query patterns that may indicate exploitation attempts. Review and harden GraphQL schema exposure settings, disabling introspection in production environments where feasible. Conduct regular security audits and penetration testing focusing on GraphQL endpoints to detect similar bypass issues. Maintain up-to-date dependency management to quickly apply future security patches.