Description
The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.2 < 4.10.11** Patched version(s): **5.2.2 4.10.11**
References
- GHSA-rh9j-f5f8-rvgc
- developer.apple.com
- CVE-2022-31083
- CWE-287
- CWE-295
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023