Security Advisory: Injection Vulnerability in Parse Server Prior to Versions 6.5.5 and 7.0.0-alpha.29
CVE-2024-29027
What is CVE-2024-29027?
Parse Server, an open-source backend platform compatible with Node.js, has a vulnerability that allows an attacker to crash the server by calling an invalid Cloud Function or Cloud Job name. This issue, present in releases earlier than versions 6.5.5 and 7.0.0-alpha.29, poses risks including code injection and unauthorized manipulation of the internal store, potentially leading to remote execution of malicious code. The recent patches introduced in versions 6.5.5 and 7.0.0-alpha.29 include string sanitation measures designed to prevent such attacks. It is advised that users sanitize Cloud Function names and Job names before processing them in Parse Server to mitigate the threat effectively.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
parse-server < 6.5.5 < 6.5.5
parse-server >= 7.0.0-alpha.1, < 7.0.0-alpha.29 < 7.0.0-alpha.1, 7.0.0-alpha.29
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved