CVE-2022-39396
Published: 10 November 2022
Summary
CVE-2022-39396 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Parse Server is an open source backend framework deployable on any infrastructure capable of running Node.js. CVE-2022-39396 affects versions prior to 4.10.18 and prior to 5.3.1 on the 5.x branch, exposing a prototype-pollution sink (CWE-1321) that an unauthenticated remote attacker can reach over the network. The vulnerability carries a CVSS 3.1 score of 9.8 and permits remote code execution when the polluted prototype is processed by the MongoDB BSON parser.
An attacker with no credentials or user interaction can supply a crafted payload that pollutes Object.prototype, causing the BSON parser to execute arbitrary code when it later deserializes data. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the affected Parse Server instance.
The project’s security advisories state that the issue is resolved in Parse Server 4.10.18 and 5.3.1; no workarounds are known, so administrators are advised to upgrade immediately.
EPSS for the CVE has remained flat at 0.1099 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7404
Vulnerability details
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An…
more
attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.