GHSA-r657-33vp-gp22
LOWparse-server auth adapter app ID validation can be circumvented
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
parse-servernpmDescription
Impact
Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented.
This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]). The vulnerability makes it possible to authenticate requests which are coming from a Facebook or Spotify app with a different app ID than the one specified in the appIds configuration.
Both adapters still validate the access token with the respective authentication provider. An app ID is automatically assigned by the authentication provider. For this vulnerability to be exploited, an attacker would have to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID.
The documentation did not explicitly specify that the parameter appIds must be set as an array of strings and setting a string also worked. Therefore, there is a possibility that there are deployments where appIds is set as a string, making them vulnerable.
Patches
The fix makes Parse Server check the type of the value set for appIds and throws an error if the value is not an array.
Workarounds
No known workarounds.
References
- GitHub advisory GHSA-r657-33vp-gp22
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | parse-server | all versions | 4.10.16 |
| 📦npm | parse-server | ≥ 5.0.0&&< 5.2.7 | 5.2.7 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for parse-server. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update parse-server to 4.10.16 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-r657-33vp-gp22 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-r657-33vp-gp22 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-r657-33vp-gp22. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-r657-33vp-gp22 in your dependencies?
O3 detects GHSA-r657-33vp-gp22 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.