Cyber Resilience

CVE-2022-24760

CriticalPublic PoC

Published: 12 March 2022

Published
12 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7557 98.9th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24760 is a critical-severity Injection (CWE-74) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Parse Server, an open-source HTTP web server backend, contains a remote code execution vulnerability in versions prior to 4.10.7. The flaw stems from prototype pollution in DatabaseController.js that permits injection of arbitrary properties into JavaScript objects; it is exploitable in the default MongoDB configuration and is likely to affect Postgres and other database backends as well. The issue has been confirmed on both Linux and Windows hosts and carries a CVSS score of 10.0.

An unauthenticated remote attacker can supply a crafted request that pollutes object prototypes, leading to arbitrary code execution on the server with full confidentiality, integrity, and availability impact. Because the attack requires no credentials or user interaction and affects the network-facing API, it can result in complete compromise of the Parse Server instance and any data it manages.

The project’s security advisory GHSA-p6h4-93qp-jhcm and associated commits recommend immediate upgrade to version 4.10.7 or newer; the sole documented workaround is manual application of the patch referenced in the advisory. The EPSS score has remained at its observed peak of 0.7557 with no material post-disclosure climb.

EU & UK References

Vulnerability details

Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness…

more

that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

parseplatform
parse-server
≤ 4.10.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References