CVE-2024-47183

Parse Server's custom object ID allows to acquire role privileges

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.

Categories

8.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.11%
Vendor Advisory github.com
Affected: parse-community parse-server
Published at:
Updated at:

References

Link Tags
https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg vendor advisory
https://github.com/parse-community/parse-server/pull/9317 patch
https://github.com/parse-community/parse-server/pull/9318 patch
https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc patch
https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f patch

Frequently Asked Questions

What is the severity of CVE-2024-47183?
CVE-2024-47183 has been scored as a high severity vulnerability.
How to fix CVE-2024-47183?
To fix CVE-2024-47183, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-47183 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-47183 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-47183?
CVE-2024-47183 affects parse-community parse-server.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.