Researchers have discoverd a critical-severity bug in the opensource tool Parse Server. Exploiting this server vulnerability could allow remote code execution attacks.
Parse Server RCE Vulnerability
As explained in a recent advisory on GitHub, the RCE vulnerability existed in the Parse Server npm package.
Specifically, the three researchers, Mikhail Shcherbakov, Cristian-Alexandru STAICU, and Musard Balliu, explained that they noticed a prototype pollution vulnerability in the DatabaseController.js
file. They could confirm the bug in Ubuntu and Windows versions.
Briefly, Prototype Pollution is a code injection attack affecting JavaScript, that allows an attacker to maliciously modify the app’s intended functionalities. As defined by Snyk,
Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of an object’s properties. This allows the attacker to tamper with the logic of the application and can also lead to denial of service or, in extreme cases, remote code execution.
Regarding the Parse Server vulnerability, it affected the tool in the default MongoDB configuration. The researchers explained vulnerable code could affect Postgres and other database backends.
This vulnerability has received the CVE ID CVE-2022-24760 and a severity score of 10. Whereas the affected Parse Server versions include releases before 4.10.7.
So, users should upgrade to Parse Server 4.10.7 or higher to receive the fix for this flaw. (The current version includes 5.0.0.)
The researchers have also explained a workaround for users to address this problem if they can’t manage to update immediately.
Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution.
Parse Server is an open-source backend framework that runs on Node.js. It can be deployed to any infrastructure and supports integration with existing web apps. It can also work with the Express web application framework and even run independently.