Cyber Resilience

CVE-2023-36475

Critical

Published: 28 June 2023

Published
28 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0983 93.1th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36475 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Parse Server is an open source backend framework that runs on Node.js and connects to MongoDB. CVE-2023-36475 is a prototype-pollution vulnerability (CWE-1321) present in versions prior to 5.5.2 and 6.2.1. An attacker-supplied payload can reach a sink inside the MongoDB BSON parser, allowing the pollution to be escalated into arbitrary code execution on the server.

Because the flaw is reachable over the network with no authentication or user interaction required, any remote attacker who can send requests to a Parse Server instance can achieve full remote code execution, resulting in complete compromise of the confidentiality, integrity, and availability of the affected service.

Patches addressing the issue were released in Parse Server versions 5.5.2 and 6.2.1; the corresponding commits and release notes are available in the project repository.

EPSS for the CVE rose from a low baseline to a peak of 0.1670 on 2025-01-22 before receding to the current value of 0.0983, indicating a measurable increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the…

more

MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

parseplatform
parse-server
≤ 5.5.2 · 6.0.0 — 6.2.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References