Description
This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.10.7
- Patched version(s): 4.10.7
References
Related Issues
- ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection - CVE-2024-27298
- XSS in the `of` option of the `.position()` util in jquery-ui - CVE-2021-41184
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- The AuthKit Remix Library renders sensitive auth data in HTML - CVE-2025-55009
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023