GitHub has awarded the bug a severity score of 10 – the highest available

Users of Parse Server, a popular API server module for Node/Express, are being urged to immediately apply a fix for a remote code execution (RCE) vulnerability.

Discovered by security researchers Mikhail Shcherbakov, Cristian-Alexandru Staicu, and Musard Balliu, the vulnerability impacts the parse-server NPM package, versions below 4.10.7.

In a security advisory published on GitHub, on March 11, the team said the RCE vulnerability was discovered in a default configuration with MongoDB and has been confirmed in Ubuntu and Windows versions of the software.

Prototype pollution

The root cause of the security problem in play is prototype pollution.

Prototype pollution occurs when attackers abuse the rules of the JavaScript programming language to compromise an application – opening the door to exploits including remote code execution, various forms of cross-site scripting (XSS) attacks, SQL injections, and more.

Parse Server is open source backend software for servers and systems that run Node.js. It can run both independently or with other web application frameworks including MongoDB and PostgreSQL.


DEEP DIVES Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications


According to the researchers, code in parse-server NPM’s DatabaseController.js function was the source of the vulnerability.

Shcherbakov and Staicu said that as the security flaw was found in the database function, it will “likely affect Postgres and any other database backend as well”.

Speaking to The Daily Swig, Shcherbakov said the vulnerable code was not specific to particular database modules and, in theory, “should be reachable with any database backend”.

“However, the exploitation requires a gadget to get arbitrary code execution and some kind of a race condition to execute the gadget in the required order,” Shcherbakov explained. “I found the gadget and the race condition in MongoDB modules to demonstrate the exploit. I did not try to use another database, but it is likely possible.”

Imperfect 10

Tracked as CVE-2022-24760, the RCE bug is awaiting a formal CVSS score from NIST, but GitHub – a CVE Numbering Authority (CNA) – has given the vulnerability a base score of 10 – the highest severity possible.

Parse Server 4.10.7 includes a patch for CVE-2022-24760. Part of the fix includes a scanner for sensitive keywords to safeguard against prototype pollution attacks.


Catch up on the latest security research news


Users are advised to upgrade to at least v.4.10.7 of Parse Server.

One possible workaround, short of applying the recommended update, involves patching the MongoDB Node.js driver and disabling BSON code execution.

The most recent build available is 5.0.0, which also bundles new and improved file upload security controls.

The Daily Swig has reached out to the project with additional queries. We will update this story as and when we hear back from Parse Server’s developers.


YOU MAY ALSO LIKE Prison service for England and Wales recorded more than 2,000 breaches over 12 months