Critical severityNVD Advisory· Published Jun 28, 2023· Updated Nov 27, 2024
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
CVE-2023-36475
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | < 5.5.2 | 5.5.2 |
parse-servernpm | >= 6.0.0, < 6.2.1 | 6.2.1 |
Affected products
3- osv-coords2 versions
< 5.5.2+ 1 more
- (no CPE)range: < 5.5.2
- (no CPE)range: < 5.5.2
- Range: < 5.5.2
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-462x-c3jw-7vr6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36475ghsaADVISORY
- github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81fghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/issues/8674ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/issues/8675ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/5.5.2ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/6.2.1ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.