Mtrezzap

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.7 **Description** The issue is a Remote Code Execution (RCE) vulnerability in Parse Server, affecting the default configuration with MongoDB. The main weakness is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, which may also affect Postgres and other database backends. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. **Recommendations** Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta), wait for a timely fix. As a temporary workaround, consider patching the MongoDB Node.js driver and disabling BSON code execution by adding the provided code to be executed before starting Parse Server. To prevent JavaScript prototype pollution, a new security feature scans for sensitive keywords in request data, and you can override the default keywords by setting the new Parse Server option `requestKeywordDenylist` to `[]` and specifying your own keywords as needed.