Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: fbac847
Author: Manuel
Date: 2026-03-21T15:49:08Z
Commit Message
fix: Denial of service via unindexed database query for unconfigured auth providers ([GHSA-g4cf-xj29-wqqr](https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr)) (#10270)
Pull Request
PR: #10270 - fix: Denial of service via unindexed database query for unconfigured auth providers (GHSA-g4cf-xj29-wqqr)
Labels: state:released-alpha
Description:
Issue
Denial of service via unindexed database query for unconfigured auth providers ([GHSA-g4cf-xj29-wqqr](GHSA-g4cf-xj29-wqqr))
Analysis
Vulnerability Type: Denial of Service
Severity: Medium
Description
The original code allowed unconfigured authentication providers to trigger unindexed database queries, causing expensive collection scans. An attacker could exploit this by submitting authData with unconfigured provider names, leading to denial of service due to the high cost of unindexed queries. The patch prevents database queries for unconfigured auth providers, mitigating this attack.
Affected Code
const adapter = config.authDataManager.getValidatorForProvider(provider)?.adapter;
Proof of Concept
Send a signup request with authData containing a non-existent provider (e.g. { nonExistentProvider: { id: 'test123' } }) causing the server to perform an unindexed database find query. This query can severely load the database, leading to denial of service and degraded server availability.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-21T18:01:00.110Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: fbac847
Author: Manuel
Date: 2026-03-21T15:49:08Z
Commit Message
Pull Request
PR: #10270 - fix: Denial of service via unindexed database query for unconfigured auth providers (GHSA-g4cf-xj29-wqqr)
Labels: state:released-alpha
Description:
Issue
Denial of service via unindexed database query for unconfigured auth providers ([GHSA-g4cf-xj29-wqqr](GHSA-g4cf-xj29-wqqr))
Analysis
Vulnerability Type: Denial of Service
Severity: Medium
Description
The original code allowed unconfigured authentication providers to trigger unindexed database queries, causing expensive collection scans. An attacker could exploit this by submitting authData with unconfigured provider names, leading to denial of service due to the high cost of unindexed queries. The patch prevents database queries for unconfigured auth providers, mitigating this attack.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-21T18:01:00.110Z