CRITICALCWE-284Database Security
Firebase Rules Open to World
Description
Your Firebase/Firestore security rules allow read/write access to unauthenticated users, exposing your entire database.
How Vezraa Detects It
We probe your Firestore endpoint with unauthenticated requests and test if read/write operations are permitted.
Real-World Impact
Anyone on the internet can read, write, or delete your entire Firestore database — all user data, content, and configurations are exposed.
Fix Example
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// BAD: allow read, write: if true;
// GOOD:
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}Affected Stacks
FirebaseFirestore