Skip to content

[Vulnerability] parse-community/parse-server: Denial of Service #213

Description

@github-actions

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: fbac847
Author: Manuel
Date: 2026-03-21T15:49:08Z

Commit Message

fix: Denial of service via unindexed database query for unconfigured auth providers ([GHSA-g4cf-xj29-wqqr](https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr)) (#10270)

Pull Request

PR: #10270 - fix: Denial of service via unindexed database query for unconfigured auth providers (GHSA-g4cf-xj29-wqqr)
Labels: state:released-alpha

Description:

Issue

Denial of service via unindexed database query for unconfigured auth providers ([GHSA-g4cf-xj29-wqqr](GHSA-g4cf-xj29-wqqr))

Analysis

Vulnerability Type: Denial of Service
Severity: Medium

Description

The original code allowed unconfigured authentication providers to trigger unindexed database queries, causing expensive collection scans. An attacker could exploit this by submitting authData with unconfigured provider names, leading to denial of service due to the high cost of unindexed queries. The patch prevents database queries for unconfigured auth providers, mitigating this attack.

Affected Code

const adapter = config.authDataManager.getValidatorForProvider(provider)?.adapter;

Proof of Concept

Send a signup request with authData containing a non-existent provider (e.g. { nonExistentProvider: { id: 'test123' } }) causing the server to perform an unindexed database find query. This query can severely load the database, leading to denial of service and degraded server availability.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-21T18:01:00.110Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions