CVE-2023-36475
Published: 28 June 2023
Summary
CVE-2023-36475 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Parse Server is an open source backend framework that runs on Node.js and connects to MongoDB. CVE-2023-36475 is a prototype-pollution vulnerability (CWE-1321) present in versions prior to 5.5.2 and 6.2.1. An attacker-supplied payload can reach a sink inside the MongoDB BSON parser, allowing the pollution to be escalated into arbitrary code execution on the server.
Because the flaw is reachable over the network with no authentication or user interaction required, any remote attacker who can send requests to a Parse Server instance can achieve full remote code execution, resulting in complete compromise of the confidentiality, integrity, and availability of the affected service.
Patches addressing the issue were released in Parse Server versions 5.5.2 and 6.2.1; the corresponding commits and release notes are available in the project repository.
EPSS for the CVE rose from a low baseline to a peak of 0.1670 on 2025-01-22 before receding to the current value of 0.0983, indicating a measurable increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1678
Vulnerability details
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the…
more
MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.