Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 5dcbf41
Author: Manuel
Date: 2026-03-16T14:31:20Z
Commit Message
fix: Empty authData bypasses credential requirement on signup ([GHSA-wjqw-r9x4-j59v](https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v)) (#10219)
Pull Request
PR: #10219 - fix: Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v)
Labels: state:released-alpha
Description:
Issue
Empty authData bypasses credential requirement on signup ([GHSA-wjqw-r9x4-j59v](GHSA-wjqw-r9x4-j59v))
Tasks
Analysis
Vulnerability Type: Authentication Bypass
Severity: High
Description
Before the patch, signup requests with an empty authData object could bypass credential requirements, allowing account creation without valid authentication credentials. This flaw enabled attackers to create accounts without providing username/password or valid third-party authentication data, potentially leading to unauthorized access and abuse. The patch requires non-empty authData or valid credentials, rejecting signups with empty or malformed authData.
Affected Code
if (!this.query && !authData) {
if (typeof this.data.username !== 'string' || _.isEmpty(this.data.username)) {
throw new Parse.Error(Parse.Error.USERNAME_MISSING, 'bad or missing username');
}
}
if (
(authData && !Object.keys(authData).length) ||
!Object.prototype.hasOwnProperty.call(this.data, 'authData')
) {
// Nothing to validate here
return;
}
Proof of Concept
POST /1/users
Headers:
Content-Type: application/json
X-Parse-Application-Id: test
X-Parse-REST-API-Key: rest
Body:
{
"authData": {}
}
Expected response:
HTTP 400 Bad Request
{
"code": 207,
"error": "bad or missing username"
}
-- Exploit on unpatched version --
Same request would succeed creating a user account without requiring username or password, bypassing authentication controls.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-16T18:02:37.218Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 5dcbf41
Author: Manuel
Date: 2026-03-16T14:31:20Z
Commit Message
Pull Request
PR: #10219 - fix: Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v)
Labels: state:released-alpha
Description:
Issue
Empty authData bypasses credential requirement on signup ([GHSA-wjqw-r9x4-j59v](GHSA-wjqw-r9x4-j59v))
Tasks
Analysis
Vulnerability Type: Authentication Bypass
Severity: High
Description
Before the patch, signup requests with an empty authData object could bypass credential requirements, allowing account creation without valid authentication credentials. This flaw enabled attackers to create accounts without providing username/password or valid third-party authentication data, potentially leading to unauthorized access and abuse. The patch requires non-empty authData or valid credentials, rejecting signups with empty or malformed authData.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-16T18:02:37.218Z