Skip to content
← Back to Vulnerability Database
CRITICALCWE-284Database Security

Firebase Rules Open to World

Description

Your Firebase/Firestore security rules allow read/write access to unauthenticated users, exposing your entire database.

How Vezraa Detects It

We probe your Firestore endpoint with unauthenticated requests and test if read/write operations are permitted.

Real-World Impact

Anyone on the internet can read, write, or delete your entire Firestore database — all user data, content, and configurations are exposed.

Fix Example

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // BAD: allow read, write: if true;
    // GOOD:
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}

Affected Stacks

FirebaseFirestore

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Firebase Rules Open to World — Vulnerability Database | Vezraa