Main Vulnerability Database Vulnerabilities #VU132198

Input validation error in parse-server - CVE-2022-39231

Published: September 20, 2022 / Updated: May 23, 2026

Vulnerability identifier: #VU132198

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-39231

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MeetFox

Affected software:
parse-server

Detailed vulnerability description

The vulnerability allows a remote user to bypass app ID validation during authentication.

The vulnerability exists due to improper input validation in the Facebook and Spotify authentication adapters when processing authentication requests with the server-side appIds configuration set as a string instead of an array of strings. A remote user can authenticate using a Facebook or Spotify app with a different app ID than the configured one to bypass app ID validation during authentication.

Exploitation requires that authentication through the Facebook or Spotify adapter is enabled and that the assigned app ID from the authentication provider is a subset of the configured app ID.

How to mitigate CVE-2022-39231

Install security update from vendor's website.

Sources

https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22

Input validation error in parse-server - CVE-2022-39231

Detailed vulnerability description

How to mitigate CVE-2022-39231

Sources

Please verify you're human