15 March 2022 at 15:11 UTC
Updated: 02 December 2022 at 11:57 UTC
GitHub has awarded the bug a severity score of 10 – the highest available
Discovered by security researchers Mikhail Shcherbakov, Cristian-Alexandru Staicu, and Musard Balliu, the vulnerability impacts the parse-server NPM package, versions below 4.10.7.
In a security advisory published on GitHub, on March 11, the team said the RCE vulnerability was discovered in a default configuration with MongoDB and has been confirmed in Ubuntu and Windows versions of the software.
The root cause of the security problem in play is prototype pollution.
Parse Server is open source backend software for servers and systems that run Node.js. It can run both independently or with other web application frameworks including MongoDB and PostgreSQL.
According to the researchers, code in parse-server NPM’s DatabaseController.js function was the source of the vulnerability.
Shcherbakov and Staicu said that as the security flaw was found in the database function, it will “likely affect Postgres and any other database backend as well”.
Speaking to The Daily Swig, Shcherbakov said the vulnerable code was not specific to particular database modules and, in theory, “should be reachable with any database backend”.
“However, the exploitation requires a gadget to get arbitrary code execution and some kind of a race condition to execute the gadget in the required order,” Shcherbakov explained. “I found the gadget and the race condition in MongoDB modules to demonstrate the exploit. I did not try to use another database, but it is likely possible.”
Tracked as CVE-2022-24760, the RCE bug is awaiting a formal CVSS score from NIST, but GitHub – a CVE Numbering Authority (CNA) – has given the vulnerability a base score of 10 – the highest severity possible.
Parse Server 4.10.7 includes a patch for CVE-2022-24760. Part of the fix includes a scanner for sensitive keywords to safeguard against prototype pollution attacks.
Users are advised to upgrade to at least v.4.10.7 of Parse Server.
One possible workaround, short of applying the recommended update, involves patching the MongoDB Node.js driver and disabling BSON code execution.
The most recent build available is 5.0.0, which also bundles new and improved file upload security controls.
The Daily Swig has reached out to the project with additional queries. We will update this story as and when we hear back from Parse Server’s developers.