CVE-2022-24760
Published: 12 March 2022
Summary
CVE-2022-24760 is a critical-severity Injection (CWE-74) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Parse Server, an open-source HTTP web server backend, contains a remote code execution vulnerability in versions prior to 4.10.7. The flaw stems from prototype pollution in DatabaseController.js that permits injection of arbitrary properties into JavaScript objects; it is exploitable in the default MongoDB configuration and is likely to affect Postgres and other database backends as well. The issue has been confirmed on both Linux and Windows hosts and carries a CVSS score of 10.0.
An unauthenticated remote attacker can supply a crafted request that pollutes object prototypes, leading to arbitrary code execution on the server with full confidentiality, integrity, and availability impact. Because the attack requires no credentials or user interaction and affects the network-facing API, it can result in complete compromise of the Parse Server instance and any data it manages.
The project’s security advisory GHSA-p6h4-93qp-jhcm and associated commits recommend immediate upgrade to version 4.10.7 or newer; the sole documented workaround is manual application of the patch referenced in the advisory. The EPSS score has remained at its observed peak of 0.7557 with no material post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1489
Vulnerability details
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness…
more
that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.