VYPR
Get started
← All advisories
High severityNVD Advisory· Published May 4, 2022· Updated Apr 23, 2025

Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter

CVE-2022-24901

Description

Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
parse-servernpm
< 4.10.104.10.10
parse-servernpm
>= 5.0.0, < 5.2.15.2.1

Affected products

1

Patches

1
af4a0417a9f3

fix: authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) (#7962)

https://github.com/parse-community/parse-serverManuelMay 1, 2022via ghsa
commit
2 files changed · +49 50
  • spec/AuthenticationAdapters.spec.js+27 40 modified
    @@ -1665,11 +1665,7 @@ describe('Apple Game Center Auth adapter', () => {
       bundleId: 'cloud.xtralife.gamecenterauth',
     };
 
-    try {
-      await gcenter.validateAuthData(authData);
-    } catch (e) {
-      fail();
-    }
+    await gcenter.validateAuthData(authData);
   });
 
   it('validateAuthData invalid signature id', async () => {
@@ -1690,42 +1686,33 @@ describe('Apple Game Center Auth adapter', () => {
     }
   });
 
-  it('validateAuthData invalid public key url', async () => {
-    const authData = {
-      id: 'G:1965586982',
-      publicKeyUrl: 'invalid.com',
-      timestamp: 1565257031287,
-      signature: '1234',
-      salt: 'DzqqrQ==',
-      bundleId: 'cloud.xtralife.gamecenterauth',
-    };
-
-    try {
-      await gcenter.validateAuthData(authData);
-      fail();
-    } catch (e) {
-      expect(e.message).toBe('Apple Game Center - invalid publicKeyUrl: invalid.com');
-    }
-  });
-
   it('validateAuthData invalid public key http url', async () => {
-    const authData = {
-      id: 'G:1965586982',
-      publicKeyUrl: 'http://static.gc.apple.com/public-key/gc-prod-4.cer',
-      timestamp: 1565257031287,
-      signature: '1234',
-      salt: 'DzqqrQ==',
-      bundleId: 'cloud.xtralife.gamecenterauth',
-    };
-
-    try {
-      await gcenter.validateAuthData(authData);
-      fail();
-    } catch (e) {
-      expect(e.message).toBe(
-        'Apple Game Center - invalid publicKeyUrl: http://static.gc.apple.com/public-key/gc-prod-4.cer'
-      );
-    }
+    const publicKeyUrls = [
+      'example.com',
+      'http://static.gc.apple.com/public-key/gc-prod-4.cer',
+      'https://developer.apple.com/assets/elements/badges/download-on-the-app-store.svg',
+      'https://example.com/ \\.apple.com/public_key.cer',
+      'https://example.com/ &.apple.com/public_key.cer',
+    ];
+    await Promise.all(
+      publicKeyUrls.map(publicKeyUrl =>
+        expectAsync(
+          gcenter.validateAuthData({
+            id: 'G:1965586982',
+            timestamp: 1565257031287,
+            publicKeyUrl,
+            signature: '1234',
+            salt: 'DzqqrQ==',
+            bundleId: 'com.example.com',
+          })
+        ).toBeRejectedWith(
+          new Parse.Error(
+            Parse.Error.SCRIPT_FAILED,
+            `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}`
+          )
+        )
+      )
+    );
   });
 });
  • src/Adapters/Auth/gcenter.js+22 10 modified
    @@ -19,15 +19,8 @@ const cache = {}; // (publicKey -> cert) cache
 
 function verifyPublicKeyUrl(publicKeyUrl) {
   try {
-    const parsedUrl = new URL(publicKeyUrl);
-    if (parsedUrl.protocol !== 'https:') {
-      return false;
-    }
-    const hostnameParts = parsedUrl.hostname.split('.');
-    const length = hostnameParts.length;
-    const domainParts = hostnameParts.slice(length - 2, length);
-    const domain = domainParts.join('.');
-    return domain === 'apple.com';
+    const regex = /^https:\/\/(?:[-_A-Za-z0-9]+\.){0,}apple\.com\/.*\.cer$/;
+    return regex.test(publicKeyUrl);
   } catch (error) {
     return false;
   }
@@ -43,7 +36,7 @@ function convertX509CertToPEM(X509Cert) {
   return pemPreFix + certBody + pemPostFix;
 }
 
-function getAppleCertificate(publicKeyUrl) {
+async function getAppleCertificate(publicKeyUrl) {
   if (!verifyPublicKeyUrl(publicKeyUrl)) {
     throw new Parse.Error(
       Parse.Error.OBJECT_NOT_FOUND,
@@ -53,6 +46,25 @@ function getAppleCertificate(publicKeyUrl) {
   if (cache[publicKeyUrl]) {
     return cache[publicKeyUrl];
   }
+  const url = new URL(publicKeyUrl);
+  const headOptions = {
+    hostname: url.hostname,
+    path: url.pathname,
+    method: 'HEAD',
+  };
+  const headers = await new Promise((resolve, reject) =>
+    https.get(headOptions, res => resolve(res.headers)).on('error', reject)
+  );
+  if (
+    headers['content-type'] !== 'application/pkix-cert' ||
+    headers['content-length'] == null ||
+    headers['content-length'] > 10000
+  ) {
+    throw new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}`
+    );
+  }
   return new Promise((resolve, reject) => {
     https
       .get(publicKeyUrl, res => {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.