CVE-2022-39313

HIGH

Parse Server < 4.10.17 and 5.x < 5.2.8 - Denial of Service via Invalid Byte Range in File Download Request

Title source: llm

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds.

References (1)

Core 1

Core References

Third Party Advisory

https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3

Scores

CVSS v3 7.5

EPSS 0.0069

EPSS Percentile 47.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1284

Status published

Products (2)

npm/parse-server 0 - 4.10.17npm

parseplatform/parse-server < 4.10.17

Published Oct 24, 2022

Tracked Since Feb 18, 2026