ZDI-CAN-19904: Remote code execution via MongoDB BSON parser through prototype pollution

Critical

mtrezza published GHSA-462x-c3jw-7vr6

Jun 28, 2023

Package

parse-server (npm)

Affected versions

(<5.5.2) || (>=6.0.0 <6.2.1)

Patched versions

(>=5.5.2 <6.0.0) || (>=6.2.1)

Description

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Credits

Discovered by hir0ot working with Trend Micro Zero Day Initiative
Fixed by dbythy
Reviewed by mtrezza

References

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H