CVE-2022-39396

CRITICAL

Parseplatform Parse-server < 4.10.18 - Prototype Pollution

Title source: rule

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.

References (1)

[Third Party Advisory] https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg

Scores

CVSS v3 9.8

EPSS 0.1099

EPSS Percentile 93.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-1321

Status published

Products (2)

npm/parse-server 0 - 4.10.18npm

parseplatform/parse-server < 4.10.18

Published Nov 10, 2022

Tracked Since Feb 18, 2026