Parse Server is an open-source backend framework that runs on Node.js and supports user authentication via username/password or third-party auth providers. Versions before 9.6.0-alpha.29 and 8.6.49 contain a critical flaw in the authentication logic where an attacker can bypass credential requirements by submitting an empty authData object during user signup. This bypasses the intended authentication checks, allowing creation of authenticated sessions without valid credentials, even if anonymous user signups are disabled. The root cause is improper handling of empty or non-actionable authData, which was previously accepted as valid authentication data. The fix introduced in 9.6.0-alpha.29 and 8.6.49 treats empty authData the same as absent authData, enforcing that either valid third-party auth provider data or username/password credentials must be present to create a user. As a mitigation, developers can implement a Cloud Code beforeSave trigger on the _User class to reject signups with empty authData and missing username/password, effectively blocking unauthorized user creation. This vulnerability is tracked as CWE-287 (Improper Authentication) and has a CVSS 4.0 score of 6.9, indicating medium severity. No public exploits have been reported yet, but the vulnerability is exploitable remotely without authentication or user interaction, posing a risk to any deployment running affected versions.

The vulnerability allows attackers to create authenticated user sessions without valid credentials, effectively bypassing authentication controls. This can lead to unauthorized access to application resources, data leakage, and potential privilege escalation depending on the application's access control implementation. Organizations relying on parse-server for backend user management may face unauthorized account creation, which could be leveraged for further attacks such as data exfiltration, impersonation, or abuse of application functionality. Since the flaw bypasses anonymous user restrictions, it undermines security policies intended to prevent unauthorized access. The impact is particularly significant for applications handling sensitive user data or critical business functions. Although no known exploits exist currently, the ease of exploitation and network accessibility make this a credible threat. The medium CVSS score reflects limited impact on confidentiality and availability but a clear integrity risk due to improper authentication.

The primary mitigation is to upgrade parse-server to version 9.6.0-alpha.29 or later, or 8.6.49 or later, where the authentication logic properly validates authData. If immediate upgrade is not feasible, implement a Cloud Code beforeSave trigger on the _User class to reject any signup requests where authData is empty and no username/password is provided. This custom validation ensures that unauthorized user creation attempts are blocked. Additionally, review and tighten access control policies and monitor user creation logs for suspicious activity. Employ rate limiting and anomaly detection to identify potential abuse. Regularly audit parse-server configurations to ensure anonymous user signups are disabled if not required. Finally, keep parse-server and dependencies up to date and subscribe to vendor advisories for timely patching.