Headline
GHSA-462x-c3jw-7vr6: Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Impact
An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.
Patches
Prevent prototype pollution in MongoDB database adapter.
Workarounds
Disable remote code execution through the MongoDB BSON parser.
Credits
- Discovered by hir0ot working with Trend Micro Zero Day Initiative
- Fixed by dbythy
- Reviewed by mtrezza
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
- https://github.com/advisories/GHSA-prm5-8g2m-24gg
Skip to content
Sign up
CVE-2023-36475
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
Explore
* All features
* Documentation
* GitHub Skills
* Blog
For
- Enterprise
- Teams
- Startups
- Education
By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
Case Studies
- Customer Stories
- Resources
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Repositories
* Topics
* Trending
* Collections
Pricing
Search All GitHub
No suggested jump to results
Search All GitHub
Search All GitHub
Search All GitHub
Sign in
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-36475
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Critical severity GitHub Reviewed Published Jun 28, 2023 in parse-community/parse-server • Updated Jun 30, 2023
Vulnerability details Dependabot alerts 0
Package
npm parse-server (npm)
Affected versions
< 5.5.2
>= 6.0.0, < 6.2.1
Patched versions
5.5.2
6.2.1
Description
Impact
An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.
Patches
Prevent prototype pollution in MongoDB database adapter.
Workarounds
Disable remote code execution through the MongoDB BSON parser.
Credits
- Discovered by hir0ot working with Trend Micro Zero Day Initiative
- Fixed by dbythy
- Reviewed by mtrezza
References
- GHSA-462x-c3jw-7vr6
- GHSA-prm5-8g2m-24gg
References
- GHSA-462x-c3jw-7vr6
- https://nvd.nist.gov/vuln/detail/CVE-2023-36475
- parse-community/parse-server#8674
- parse-community/parse-server#8675
- parse-community/parse-server@3dd99dd
- parse-community/parse-server@5fad292
- https://github.com/parse-community/parse-server/releases/tag/5.5.2
- https://github.com/parse-community/parse-server/releases/tag/6.2.1
mtrezza published to parse-community/parse-server
Jun 28, 2023
Published to the GitHub Advisory Database
Jun 30, 2023
Reviewed
Jun 30, 2023
Last updated
Jun 30, 2023
Severity
Critical
9.8
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses
CWE-1321
CVE ID
CVE-2023-36475
GHSA ID
GHSA-462x-c3jw-7vr6
Source code
parse-community/parse-server
Credits
- dblythy Remediation developer
- mtrezza Remediation reviewer
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.