CVE-2022-39396
Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser
In short
Parse Server has a critical flaw that allows attackers to run malicious code on the server by exploiting how it processes MongoDB data. An attacker can trick the system into executing commands without needing any special permissions.
Technical detail
Prototype pollution vulnerability in the MongoDB BSON parser allows unauthenticated remote attackers to achieve arbitrary code execution by injecting malicious properties into JavaScript objects during deserialization. Affected versions prior to 4.10.18 and 5.3.1 lack proper input validation on BSON parsing, enabling exploitation through crafted MongoDB query payloads.
Summary generated and translated by AI from the official description.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
parse-community · parse-serverWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →