CVE-2023-36475

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.

References

Link	Tags
https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6	vendor advisory
https://github.com/parse-community/parse-server/issues/8674	patch issue tracking
https://github.com/parse-community/parse-server/issues/8675	patch issue tracking
https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90	patch
https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f	patch
https://github.com/parse-community/parse-server/releases/tag/5.5.2	release notes
https://github.com/parse-community/parse-server/releases/tag/6.2.1	release notes

Frequently Asked Questions

What is the severity of CVE-2023-36475?: CVE-2023-36475 has been scored as a critical severity vulnerability.
How to fix CVE-2023-36475?: To fix CVE-2023-36475, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-36475 being actively exploited in the wild?: It is possible that CVE-2023-36475 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~8% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-36475?: CVE-2023-36475 affects parse-community parse-server.

Description

Category

CWE-1321 – Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

References

Frequently Asked Questions