CVE-2022-39231

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.16 Parse Server versions 5.0.0 through 5.2.6

Description The issue concerns the validation of the authentication adapter app ID for Facebook and Spotify. In affected configurations, where the appIds is set as a string instead of an array of strings, an attacker can authenticate requests from an app with a different app ID than the one specified in the appIds configuration. This can happen if the attacker is assigned an app ID by the authentication provider that is a subset of the server-side configured app ID. Both Facebook and Spotify adapters still validate the access token with the respective authentication provider.

Recommendations For Parse Server versions prior to 4.10.16, update to version 4.10.16 or later. For Parse Server versions 5.0.0 through 5.2.6, update to version 5.2.7 or later. As a temporary workaround, consider setting appIds as an array of strings instead of a string to prevent exploitation. Restrict access to the authentication adapter for Facebook and Spotify to minimize the risk of exploitation.