CVE-2022-24760

Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.

Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.

### Impact This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. ### Patches Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment. Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code `400` and Parse Error `105` (`INVALID_KEY_NAME`). By default these keywords are: `{_bsontype: "Code"}`, `constructor`, `__proto__`. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option `requestKeywordDenylist` to `[]` and specify your own keywords as needed. ### Workarounds Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in `index.js`. ``` const BSON = require('bson'); const internalDeserialize = BSON.prototype.deserialize; BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) => { if (options.constructor) { options = Object.assign(Object.create(null), options); } return internalDeserialize(buffer, options, ...others); }; const internalDeserializeStream = BSON.prototype.deserializeStream; BSON.prototype.deserializeStream = ( data, startIndex, numberOfDocuments, documents, docStartIndex, options = Object.create(null), ...others ) => { if (options.constructor) { options = Object.assign(Object.create(null), options); } return internalDeserializeStream( data, startIndex, numberOfDocuments, documents, docStartIndex, options, ...others ); }; ``` ### References - Original report on [huntr.dev](https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/)

### Impact This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. ### Patches Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment. Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code `400` and Parse Error `105` (`INVALID_KEY_NAME`). By default these keywords are: `{_bsontype: "Code"}`, `constructor`, `__proto__`. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option `requestKeywordDenylist` to `[]` and specify your own keywords as needed. ### Workarounds Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in `index.js`. ``` const BSON = require('bson'); const internalDeserialize = BSON.prototype.deserialize; BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) => { if (options.constructor) { options = Object.assign(Object.create(null), options); } return internalDeserialize(buffer, options, ...others); }; const internalDeserializeStream = BSON.prototype.deserializeStream; BSON.prototype.deserializeStream = ( data, startIndex, numberOfDocuments, documents, docStartIndex, options = Object.create(null), ...others ) => { if (options.constructor) { options = Object.assign(Object.create(null), options); } return internalDeserializeStream( data, startIndex, numberOfDocuments, documents, docStartIndex, options, ...others ); }; ``` ### References - Original report on [huntr.dev](https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/)

Parse Server es un backend de servidor web http de código abierto. En versiones anteriores a 4.10.7, se presenta una vulnerabilidad de Ejecución de Código Remota (RCE) en Parse Server. Esta vulnerabilidad afecta a Parse Server en la configuración por defecto con MongoDB. La principal debilidad que conlleva a RCE es el código vulnerable Prototype Pollution en el archivo "DatabaseController.js", por lo que es probable que afecte también a Postgres y a cualquier otro backend de base de datos. Esta vulnerabilidad ha sido confirmada en Linux (Ubuntu) y Windows. Es recomendado a usuarios actualizar lo antes posible. La única medida de mitigación conocida es parchear manualmente su instalación con el código referenciado en la fuente GHSA-p6h4-93qp-jhcm