Severe remote code execution vulnerability in Node.js library: Update immediately

Cybersecurity specialists recommend users of Parse Server, a popular API server module for Node/Express, immediately apply a fix for a newly detected remote code execution (RCE) vulnerability. Identified by security researchers Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu, the vulnerability resides in versions prior to 4.10.7 of the NPM package of the analysis server.

Parse Server is an open-source backend software for servers and systems running Node.js. It can run independently or with other web application frameworks, including MongoDB and PostgreSQL.

In a security advisory posted on GitHub, the researchers mentioned that the RCE vulnerability was discovered in a default configuration with MongoDB and confirmed in its Ubuntu and Windows versions.

The problem exists due to prototype contamination, which occurs when attackers abuse JavaScript programming language rules to compromise an application, allowing remote code execution, cross-site scripting (XSS) attacks, and SQL injections.

Apparently, code in the DatabaseController.js function of parse-server NPM was the source of the vulnerability. The researchers mention that since the security flaw was found in the database function, it will likely also affect Postgres and any other database backends.

In this regard, Shcherbakov mentions that the vulnerable code was not specific to particular database modules and should be accessible with any database backend. However, exploitation requires a device to lead to arbitrary code execution and some sort of race condition to execute the device in the required order.

The flaw was tracked as CVE-2022-24760 and is still waiting to receive a score according to the Common Vulnerability Scoring System (CVSS), although it is likely to receive a 10, as severe as possible.

Parse Server version 4.10.7 includes a patch to address the vulnerability. In addition, part of the solution includes a sensitive keyword scanner to protect against prototype contamination attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.