<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Parse - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/parse/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/parse/feed.xml" rel="self" type="application/rss+xml"/><item><title>Parse Server /users/me Endpoint Exposes MFA Secrets</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-parse-server-auth-leak/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-parse-server-auth-leak/</guid><description>Parse Server versions before 8.6.61 and versions 9.0.0 to 9.6.0-alpha.55 expose sensitive MFA credentials via the `/users/me` endpoint, allowing authenticated users to extract TOTP secrets and recovery codes.</description><content:encoded><![CDATA[<p>Parse Server, an open-source backend framework, contains a vulnerability in versions before 8.6.61 and versions 9.0.0 up to 9.6.0-alpha.55. The <code>/users/me</code> endpoint inadvertently exposes sensitive authentication data, including MFA TOTP secrets and recovery codes. An authenticated user possessing a valid session token can exploit this flaw. The root cause lies in the endpoint's use of master-level authentication for the session query, causing the master context to leak into user data and bypass security sanitization. This vulnerability, disclosed on March 24, 2026, as GHSA-37mj-c2wf-cx96, can lead to unauthorized access and account compromise. Defenders should prioritize patching vulnerable Parse Server instances to prevent potential credential compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Parse Server instance running a vulnerable version (below 8.6.61 or between 9.0.0 and 9.6.0-alpha.55).</li>
<li>The attacker obtains valid user credentials through standard means (e.g., registration, password reset, or credential stuffing).</li>
<li>The attacker successfully authenticates to the Parse Server and receives a valid session token.</li>
<li>The attacker crafts a <code>GET</code> request to the <code>/users/me</code> endpoint, including the valid session token in the request headers.</li>
<li>The Parse Server processes the request, using master-level authentication for the initial session query.</li>
<li>Due to the bypassed sanitization, the response includes the targeted user's sensitive MFA TOTP secret and recovery codes.</li>
<li>The attacker uses the extracted TOTP secret to generate valid, time-based MFA codes.</li>
<li>The attacker uses the generated MFA codes, or the recovery codes, to bypass MFA and gain full access to the user's account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to bypass multi-factor authentication controls and gain unauthorized access to user accounts. The number of affected Parse Server instances is unknown. Impacted organizations could experience account takeovers, data breaches, and reputational damage. The severity is high due to the ease of exploitation (requires only a valid session token) and the direct exposure of MFA secrets.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Parse Server instances to a patched version (8.6.61 or later, or 9.6.0-alpha.55 or later) to remediate CVE-2026-33627.</li>
<li>Deploy the Sigma rule &quot;Detect Access to Users Me Endpoint&quot; to monitor access patterns to the vulnerable endpoint.</li>
<li>Enable detailed logging for web server requests to capture requests to the <code>/users/me</code> endpoint to facilitate investigations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>parse-server</category><category>credential-access</category><category>mfa-bypass</category></item><item><title>Parse Server PostgreSQL Adapter SQL Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-parse-server-sqli/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-parse-server-sqli/</guid><description>A SQL injection vulnerability in Parse Server's PostgreSQL adapter allows an attacker with master key access to execute arbitrary SQL statements via crafted field names in aggregate `$group` or `distinct` operations, leading to privilege escalation.</description><content:encoded><![CDATA[<p>A SQL injection vulnerability has been identified in the PostgreSQL adapter of Parse Server versions prior to 8.6.59 and between 9.0.0 and 9.6.0-alpha.53. This flaw enables an attacker who has already gained master key access to the Parse Server instance to inject arbitrary SQL commands. The vulnerability stems from insufficient validation of field names used within the aggregate <code>$group</code> pipeline stage or the <code>distinct</code> operation. By injecting SQL metacharacters into these field names, an attacker can bypass intended restrictions and execute unauthorized database operations. This vulnerability specifically affects Parse Server deployments using PostgreSQL and does not impact those utilizing MongoDB. Successful exploitation leads to privilege escalation, granting the attacker PostgreSQL database-level access, potentially compromising sensitive data and system integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains master key access to the Parse Server application, potentially through credential compromise or vulnerability exploitation in another part of the application.</li>
<li>The attacker crafts a malicious API request targeting either the aggregate <code>$group</code> pipeline stage or the <code>distinct</code> operation.</li>
<li>The crafted API request includes SQL metacharacters embedded within the field name parameters of the <code>$group._id</code> object or the <code>distinct</code> dot-notation parameters.</li>
<li>Parse Server receives the request and, due to insufficient validation, passes the tainted field names to the PostgreSQL storage adapter.</li>
<li>The PostgreSQL storage adapter uses the tainted field names in a <code>:raw</code> interpolation when constructing the SQL query.</li>
<li>The injected SQL metacharacters are interpreted by the PostgreSQL database, altering the intended query logic.</li>
<li>The attacker executes arbitrary SQL commands, such as creating new users with elevated privileges or dumping sensitive data.</li>
<li>The attacker successfully escalates privileges from Parse Server application-level administrator to PostgreSQL database-level access, allowing for full control of the database.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability allows an attacker to escalate privileges from a Parse Server administrator to a PostgreSQL database administrator. This could lead to the complete compromise of the database, including unauthorized access to sensitive data, modification of existing data, and denial of service. The vulnerability affects Parse Server deployments using PostgreSQL, potentially impacting any organization using vulnerable versions. Given the nature of Parse Server as a backend for mobile and web applications, a successful attack could expose user data and application logic, leading to significant financial and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Parse Server to version 8.6.59 or greater, or version 9.6.0-alpha.53 or greater, to patch CVE-2026-33539.</li>
<li>Implement input validation on the server side to sanitize field names before they are passed to the PostgreSQL adapter. While a full fix should be deployed, this provides defense in depth.</li>
<li>Monitor PostgreSQL logs for suspicious queries that contain unexpected SQL metacharacters in field names. Adapt the provided Sigma rule <code>Detect Suspicious Parse Server PostgreSQL Queries</code> to your logging environment.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>privilege-escalation</category><category>parse-server</category></item></channel></rss>