Description
This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.10.7
- Patched version(s): 4.10.7
References
Related Issues
- ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection - CVE-2024-27298
- NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies - CVE-2025-48947
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Strapi allows Server-Side Request Forgery in Webhook function - CVE-2024-52588
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023