Calling Parse.User.currentAsync when user is not logged in crashes the server with process.exit(1)

[valerycolong]

New Issue Checklist

• Report security issues confidentially.
• Any contribution is under this license.
• Before posting search existing issues.

Issue Description

Using Parse SDK on the web, after sign up but user not authenticated - as the service required email verification - I issued a request to update the user from async storage by calling Parse.User.currentAsync(). This call crashes my parse server backend with process.exit(0).

I find this strange and a pricey vulnerability since anyone can issue a similar request to the server crashing the server each time.

Steps to reproduce

Enable sign up with user verification on parse server backend. Sign up a user from the front end and immediate issue a Parse.User.currentAsync() call to update the user. The backend server crashes with exit code 1.

Actual Outcome

Parse server crashes with exit code 1.

Expected Outcome

I expected an invalid session error to be reported back to the caller without crashing the server.

Environment

Node LTS on Docker Debian Bookworm on Docker, Parse Server 7.2.0 Node JS module, Ubuntu 22.04 as host OS.

Server

• Parse Server version: 7.2.0
• Operating system: Node LTS on Docker Debian Bookworm
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local on Docker

Database

• System (MongoDB or Postgres): MongoDB
• Database version: 6.0.14
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Local on Docker

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): JavaScript
• SDK version: 5.3.0

[parse-github-assistant[bot]]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.