Parse Server is an open-source backend framework that runs on Node.js and supports various authentication providers. In versions prior to 8.6.58 and between 9.0.0 and 9.6.0-alpha.52, an unauthenticated attacker can exploit a denial-of-service vulnerability (CWE-400: Uncontrolled Resource Consumption) by sending authentication requests specifying arbitrary provider names that are not configured on the server. The server attempts to process these requests by executing a database query for each unconfigured provider to validate the authentication attempt. However, because the user database collection lacks an index on the provider field for these unconfigured providers, each query results in a full collection scan, which is computationally expensive and resource-intensive. Attackers can send many such requests in parallel, causing the database to become saturated, leading to denial of service conditions that degrade or halt legitimate service operations. The vulnerability requires no authentication or user interaction, making it remotely exploitable by any attacker. The issue was addressed by adding appropriate indexing or query handling in parse-server versions 8.6.58 and 9.6.0-alpha.52, preventing full collection scans for unconfigured providers. No public exploits have been observed, but the high CVSS 4.0 base score of 8.7 reflects the ease of exploitation and significant impact on availability.

This vulnerability can severely impact organizations using vulnerable versions of parse-server by enabling attackers to cause denial of service through resource exhaustion of the backend database. The resulting service outages can disrupt applications relying on parse-server for authentication and backend services, leading to downtime, loss of user trust, and potential financial losses. Since the attack requires no authentication and can be performed remotely, it poses a significant risk to publicly accessible parse-server deployments. Organizations with high user volumes or critical services dependent on parse-server are especially vulnerable to large-scale denial of service attacks that can saturate database resources and degrade overall system performance. Additionally, the lack of indexing causing full collection scans may increase operational costs due to increased database load. Although no known exploits are currently reported, the vulnerability's characteristics make it a likely target for attackers seeking to disrupt services.

The primary mitigation is to upgrade parse-server to version 8.6.58 or later, or 9.6.0-alpha.52 or later, where this vulnerability has been patched. For organizations unable to upgrade immediately, temporary mitigations include implementing rate limiting on authentication requests to limit the number of requests with unconfigured provider names, thereby reducing the potential for resource exhaustion. Additionally, monitoring database query performance and unusual spikes in authentication requests can help detect exploitation attempts early. Applying database-level indexing on the provider field, if feasible, can reduce the cost of queries for unconfigured providers, though this may require custom modifications. Network-level protections such as web application firewalls (WAFs) can be configured to block or throttle suspicious authentication requests with unknown provider names. Finally, restricting access to parse-server endpoints to trusted IP ranges or behind VPNs can reduce exposure to unauthenticated attackers.