CVE-2023-22474

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 5.4.1

Description The issue arises from Parse Server's use of the request header x-forwarded-for to determine the client IP address. If Parse Server is not running behind a proxy server, a client can set this header, allowing Parse Server to trust its value. This leads to the use of an incorrect client IP address by various features in Parse Server, which can be exploited to circumvent the security mechanism of the Parse Server option masterKeyIps. This is done by setting an allowed IP address as the x-forwarded-for header value.

Recommendations For versions prior to 5.4.1, update to version 5.4.1 or later, where the mechanism to determine the client IP address has been rewritten to require setting the Parse Server option trustProxy for correct IP address determination. As a temporary workaround, consider setting the trustProxy option accordingly to minimize the risk of exploitation.