ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Critical

mtrezza published GHSA-6927-3vr9-fxf2

Mar 1, 2024

Package

parse-server (npm)

Affected versions

<6.5.0

Patched versions

>=6.5.0

Description

Impact

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Patches

The algorithm to detect SQL injection has been improved.

Workarounds

None.

References

GHSA-6927-3vr9-fxf2
https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6)
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release)

Credits

Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder)
Ehsan Persania (remediation developer)
Manuel Trezza (coordinator)

Severity

Critical

10.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N