CVE-2024-29027

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 6.5.5 Parse Server versions prior to 7.0.0-alpha.29

Description Parse Server, an open source backend for Node.js, is affected by an issue where calling an invalid Cloud Function name or Cloud Job name can crash the server. This can potentially lead to code injection, internal store manipulation, or remote code execution. Exploitation requires using the startJob method with externally controllable parameters. The fix in versions 6.5.5 and 7.0.0-alpha.29 adds string sanitation for Cloud Function and Cloud Job names.

Recommendations For versions prior to 6.5.5, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server. For versions prior to 7.0.0-alpha.29, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.