Server crashes when receiving file download request with invalid byte range

High

mtrezza published GHSA-h423-w6qv-2wj3

Oct 15, 2022

Package

parse-server (npm)

Affected versions

(<4.10.17) || (>=5.0.0 <5.2.8)

Patched versions

(>=4.10.17 <5.0.0) || (>=5.2.8)

Description

Impact

Parse Server crashes when a file download request is received with an invalid byte range.

Patches

Improved parsing of the range parameter to properly handle invalid range requests.

Workarounds

None

References

GHSA-h423-w6qv-2wj3

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H