Parse Server has been updated to address a prototype pollution vulnerability that could result in remote code execution (RCE).

According to a GitHub security advisory posted on November 8, an attacker could potentially trigger RCE by utilizing the flaw (CVE-2022-39396) in the MongoDB BSON [Binary JSON] parser.

Push notification support for iOS, macOS, Android, and tvOS is provided by the well-known Node.js API server module Parse Server.

Also, read Chromium’s prototype pollution bug disregarded the Sanitizer API

We know the bug is similar to another prototype pollution-to-RCE issue they disclosed earlier in the year, even though the security researchers involved are withholding technical details to give developers time to apply patches. The vulnerability, which became public in March 2022, had the highest severity rating of CVSS 10, the most serious.

Patch now

Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig, “I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication.” So, if you have Parse Server, my advice is to patch it as soon as possible.

 Versions 4.10.18 and 5.3.1 of the NPM parse-server package have the bug fixed.

The changes stop the MongoDB database adapter’s prototype pollution. Users can safeguard themselves in the interim by disabling RCE through the MongoDB BSON parser if updates cannot be applied right away.

‘Complex task’

A study project by Shcherbakov, Musard Balliu, a KTH colleague, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany led to the discovery of the issue.

The three looked into the potential for RCE attacks to result from prototype pollution flaws in Node.js systems.

Also, read Remote Code Execution is Caused via Prototype Pollution in Blitz.js.

According to Shcherbakov, “identification of prototype pollution is a tough task. But while still feasible, the exploitation that shows a high effect of vulnerabilities is more challenging in practice.

The researchers’ findings, also include Rocket.Chat and NPM CLI for Node.js, are included in a white paper (PDF). They have an oral presentation of their research scheduled for USENIX Security ’23.

Universal gadgets

The presentation summary explains that prototype pollution involves injecting “properties into an object’s root prototype at runtime [to] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype.” It affects Node.js and prototype-based languages like JavaScript.

In order to find “end-to-end exploits beyond DoS in full-fledged Node.js applications,” the researchers set out to develop “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detecting universal gadgets”.

The Trend Micro Zero Day Initiative (ZDI) blog will eventually post technical information about the Parse Server RCE.

Also, read Discord Desktop – Remote Code Execution

Other important security flaws in Parse Server fixed this year include a high-severity authentication bypass affecting Apple Game Center and a problem that allowed for brute-force guessing of sensitive user data.