Researchers have discoverd a critical-severity bug in the opensource tool Parse Server. Exploiting this server vulnerability could allow remote code execution attacks.
Parse Server RCE Vulnerability
As explained in a recent advisory on GitHub, the RCE vulnerability existed in the Parse Server npm package.
Specifically, the three researchers, Mikhail Shcherbakov, Cristian-Alexandru STAICU, and Musard Balliu, explained that they noticed a prototype pollution vulnerability in the
DatabaseController.js file. They could confirm the bug in Ubuntu and Windows versions.
Regarding the Parse Server vulnerability, it affected the tool in the default MongoDB configuration. The researchers explained vulnerable code could affect Postgres and other database backends.
This vulnerability has received the CVE ID CVE-2022-24760 and a severity score of 10. Whereas the affected Parse Server versions include releases before 4.10.7.
So, users should upgrade to Parse Server 4.10.7 or higher to receive the fix for this flaw. (The current version includes 5.0.0.)
The researchers have also explained a workaround for users to address this problem if they can’t manage to update immediately.
Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution.
Parse Server is an open-source backend framework that runs on Node.js. It can be deployed to any infrastructure and supports integration with existing web apps. It can also work with the Express web application framework and even run independently.