Description
This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.10.7
- Patched version(s): 4.10.7
References
Related Issues
- ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection - CVE-2024-27298
- Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM - Vulnerability
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting - CVE-2026-0824
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023