Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 7f9f854
Author: Manuel
Date: 2026-03-11T23:48:06Z
Commit Message
fix: OAuth2 adapter app ID validation sends wrong token to introspection endpoint ([GHSA-69xg-f649-w5g2](https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2)) (#10187)
Pull Request
PR: #10187 - fix: OAuth2 adapter app ID validation sends wrong token to introspection endpoint (GHSA-69xg-f649-w5g2)
Labels: state:released-alpha
Description:
Pull Request
Issue
OAuth2 adapter app ID validation sends wrong token to introspection endpoint ([GHSA-69xg-f649-w5g2](GHSA-69xg-f649-w5g2))
Tasks
Analysis
Vulnerability Type: OAuth2 Token Misuse / Authorization Bypass
Severity: High
Description
Before the patch, the OAuth2 adapter's app ID validation method sent the wrong token (likely undefined or incorrect) to the token introspection endpoint. This flaw could allow an attacker to bypass proper token validation, potentially using an invalid or attacker-controlled token to impersonate users or applications, leading to unauthorized access. The patch fixes the method signature and ensures the correct access token is sent to the introspection endpoint during app ID validation.
Affected Code
async validateAppId(authData) {
if (!this.appidField) {
return;
}
Proof of Concept
1. Before the patch, the app ID validation calls requestTokenInfo with a missing token argument.
2. An attacker provides an authData with a victim's user ID but a token that is not properly validated because validateAppId sends undefined token.
3. The introspection endpoint receives 'undefined' as token, which likely leads to skipping or improper validation.
4. Attacker gains access as victim because the authorization check incorrectly succeeds.
Example:
```js
const authData = { access_token: 'attackerToken', id: 'victimUserId' };
const user = await Parse.User.logInWith('mockOauth', { authData });
// Due to incorrect token sent to introspection, validation passes even though token is invalid
console.log(user.id); // Outputs victimUserId, attacker logged in as victim
```
After the patch, the actual access_token is correctly sent to introspection, preventing this attack.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-12T00:01:20.864Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 7f9f854
Author: Manuel
Date: 2026-03-11T23:48:06Z
Commit Message
Pull Request
PR: #10187 - fix: OAuth2 adapter app ID validation sends wrong token to introspection endpoint (GHSA-69xg-f649-w5g2)
Labels: state:released-alpha
Description:
Pull Request
Issue
OAuth2 adapter app ID validation sends wrong token to introspection endpoint ([GHSA-69xg-f649-w5g2](GHSA-69xg-f649-w5g2))
Tasks
Analysis
Vulnerability Type: OAuth2 Token Misuse / Authorization Bypass
Severity: High
Description
Before the patch, the OAuth2 adapter's app ID validation method sent the wrong token (likely undefined or incorrect) to the token introspection endpoint. This flaw could allow an attacker to bypass proper token validation, potentially using an invalid or attacker-controlled token to impersonate users or applications, leading to unauthorized access. The patch fixes the method signature and ensures the correct access token is sent to the introspection endpoint during app ID validation.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-12T00:01:20.864Z