Parse Server is an open-source backend framework that runs on Node.js and supports user authentication via username/password or third-party auth providers. In affected versions prior to 9.6.0-alpha.29 and 8.6.49, the server improperly handled the authData field during user signup. Specifically, if an attacker submitted an empty authData object, the server bypassed the normal username and password validation, allowing creation of authenticated sessions without valid credentials. This flaw exists even when anonymous user signups are disabled, effectively allowing unauthorized account creation and session establishment. The root cause is that empty or non-actionable authData was treated as if valid auth provider data was present, circumventing credential checks. The fix introduced in the patched versions treats empty authData the same as absent authData, requiring username and password when no valid auth provider data exists. As a mitigation, developers can implement a Cloud Code beforeSave trigger on the _User class to reject signups with empty authData and missing username/password. This vulnerability is classified under CWE-287 (Improper Authentication) and has a CVSS 4.0 base score of 6.9, indicating medium severity. No public exploits have been reported yet, but the flaw allows unauthenticated remote attackers to bypass authentication controls and create accounts.

The vulnerability allows attackers to bypass authentication controls and create authenticated user sessions without valid credentials. This can lead to unauthorized access to application resources, data exposure, and potential privilege escalation if the attacker leverages the created accounts for further attacks. Organizations relying on parse-server for backend user management may face data integrity and confidentiality risks, as unauthorized users could access or manipulate data intended for legitimate users. The impact is amplified in environments where anonymous user signups are disabled, as the vulnerability negates this security control. Although the vulnerability does not directly enable remote code execution or system compromise, unauthorized account creation undermines trust in the authentication mechanism and can facilitate subsequent attacks such as data exfiltration, fraud, or lateral movement within the application ecosystem.

The primary mitigation is to upgrade parse-server to version 9.6.0-alpha.29 or later, or 8.6.49 or later, where the authentication logic correctly enforces username and password requirements when authData is empty or invalid. Until upgrades can be applied, implement a Cloud Code beforeSave trigger on the _User class to reject any signup requests where authData is empty and no username/password is provided. This custom validation ensures that unauthorized account creation is blocked at the application layer. Additionally, review and tighten backend access controls and monitor user creation logs for suspicious activity indicative of exploitation attempts. Employ rate limiting and anomaly detection on signup endpoints to reduce automated abuse. Finally, ensure that anonymous user signups are explicitly disabled if not required, and verify that all authentication flows are tested for proper credential validation.