Description
This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.10.7
- Patched version(s): 4.10.7
References
Related Issues
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023