CVE-2022-24760

CRITICAL

Parse Server < 4.10.7 - Remote Code Execution via Prototype Pollution in DatabaseController.js

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-24760. PoCs published by tuo4n8.

AI-analyzed exploit summary This repository provides a detailed analysis of CVE-2022-24760, a prototype pollution vulnerability in Parse Server leading to RCE via BSON deserialization. It includes flow diagrams, code snippets, and a sample payload for exploitation.

Description

Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.

Exploits (1)

nomisec WRITEUP 1 stars

by tuo4n8 · poc

https://github.com/tuo4n8/CVE-2022-24760

View Code ZIP pw:eip

This repository provides a detailed analysis of CVE-2022-24760, a prototype pollution vulnerability in Parse Server leading to RCE via BSON deserialization. It includes flow diagrams, code snippets, and a sample payload for exploitation.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Parse Server (versions before the fix)

No auth needed

Prerequisites: Access to the Parse Server API · Ability to send crafted requests

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm

Patch, Third Party Advisory x_refsource_misc

https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d

View Patch ZIP pw:eip

Exploit, Patch, Third Party Advisory x_refsource_misc

https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/

Scores

CVSS v3 10.0

EPSS 0.7557

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-74 CWE-1321

Status published

Products (2)

npm/parse-server 0 - 4.10.7npm

parseplatform/parse-server < 4.10.7

Published Mar 12, 2022

Tracked Since Feb 18, 2026