CVE-2022-24760

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.7

Description The issue is a Remote Code Execution (RCE) vulnerability in Parse Server, affecting the default configuration with MongoDB. The main weakness is the Prototype Pollution vulnerable code in the file DatabaseController.js, which may also affect Postgres and other database backends. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.

Recommendations Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta), wait for a timely fix. As a temporary workaround, consider patching the MongoDB Node.js driver and disabling BSON code execution by adding the provided code to be executed before starting Parse Server. To prevent JavaScript prototype pollution, a new security feature scans for sensitive keywords in request data, and you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specifying your own keywords as needed.