Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

GHSA-93vw-8fm5-p2jf · BIT-parse-2022-41879 · CVE-2022-41879

Published Nov 10, 2022 · Modified Dec 6, 2023

Description

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf

References

WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-41879
WEB https://github.com/parse-community/parse-server/pull/8305
WEB https://github.com/parse-community/parse-server/pull/8306
WEB https://github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8
WEB https://github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4
PACKAGE https://github.com/parse-community/parse-server
WEB https://github.com/parse-community/parse-server/releases/tag/4.10.20
WEB https://github.com/parse-community/parse-server/releases/tag/5.3.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes