Cyber Resilience

CVE-2022-39396

Critical

Published: 10 November 2022

Published
10 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1099 93.6th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39396 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Parse Server is an open source backend framework deployable on any infrastructure capable of running Node.js. CVE-2022-39396 affects versions prior to 4.10.18 and prior to 5.3.1 on the 5.x branch, exposing a prototype-pollution sink (CWE-1321) that an unauthenticated remote attacker can reach over the network. The vulnerability carries a CVSS 3.1 score of 9.8 and permits remote code execution when the polluted prototype is processed by the MongoDB BSON parser.

An attacker with no credentials or user interaction can supply a crafted payload that pollutes Object.prototype, causing the BSON parser to execute arbitrary code when it later deserializes data. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the affected Parse Server instance.

The project’s security advisories state that the issue is resolved in Parse Server 4.10.18 and 5.3.1; no workarounds are known, so administrators are advised to upgrade immediately.

EPSS for the CVE has remained flat at 0.1099 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An…

more

attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

parseplatform
parse-server
≤ 4.10.18 · 5.0.0 — 5.3.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References