CVE-2024-39309

CRITICAL

NPM Parse-server < 6.5.7 - SQL Injection

Title source: rule

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.

Exploits (1)

nomisec WORKING POC 1 stars

by HeavyGhost-le · poc

https://github.com/HeavyGhost-le/POC_SQL_injection_in_Parse_Server_prior_6.5.7_-_7.1.0

View Code ZIP pw:eip

References (5)

[Patch] https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3

[Patch] https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b

[Issue Tracking] https://github.com/parse-community/parse-server/pull/9167

[Issue Tracking] https://github.com/parse-community/parse-server/pull/9168

[Vendor Advisory] https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r

Scores

CVSS v3 9.8

EPSS 0.0379

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-288 CWE-89

Status published

Products (3)

npm/parse-server 0 - 6.5.7npm

parse-community/parse-server < 6.5.7

parse-community/parse-server >= 7.0.0, < 7.1.0

Published Jul 01, 2024

Tracked Since Feb 18, 2026