cbcvebase.
CVE-2022-24760
published 2022-03-12

CVE-2022-24760: Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This…

PriorityP180critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
49.08%
98.7th percentile
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.

Affected

3 ranges
VendorProductVersion rangeFixed in
parse-communityparse-server< 4.10.74.10.7
parse-communityparse-server>= 0 < 4.10.74.10.7
parseplatformparse-server< 4.10.74.10.7

Detection & IOCsextracted from sources · hover to see the quote

pathDatabaseController.js
  • Prototype Pollution leading to RCE in Parse Server — monitor for unexpected mutations of Object.prototype at runtime in Node.js Parse Server deployments, particularly via untrusted input flowing into DatabaseController.js
  • Attack is confirmed on both Linux (Ubuntu) and Windows platforms running Parse Server in default configuration with MongoDB; scope detection rules accordingly
  • The exploit follows a two-stage POIV pattern: (1) attacker-controlled input pollutes Object.prototype via an injection sink, then (2) a universal gadget in Node.js core APIs (e.g., child_process, module resolution) is triggered to achieve code execution — alert on anomalous prototype chain property additions combined with subsequent child_process or require() calls
  • Universal gadgets exist in Node.js core APIs for code/command execution; Parse Server RCE leverages these packaged gadgets — detection should include monitoring for unexpected module loads from disk or spawned child processes originating from the Parse Server process
  • Versions of Parse Server prior to 4.10.7 are vulnerable; detect or block requests to Parse Server instances running versions < 4.10.7
  • ·Vulnerability affects Parse Server in the default configuration with MongoDB, but the Prototype Pollution root cause in DatabaseController.js means other database backends (Postgres, etc.) are also likely affected
  • ·The only known workaround short of upgrading is a manual patch referencing the code in GHSA-p6h4-93qp-jhcm; unpatched default deployments remain fully exposed to RCE

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.