Login Sign Up

CVE-2022-31089

7.5 HIGH
Denial of Service

📋 TL;DR

Parse Server versions before 4.10.12 and 5.2.3 crash when processing certain invalid file requests, causing denial of service. This affects all Parse Server deployments, with single-instance deployments experiencing complete service disruption while clustered deployments may have reduced availability impact.

💻 Affected Systems

Products:
  • Parse Server
Versions: All versions before 4.10.12 and 5.2.3
Operating Systems: Any OS running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: All Parse Server deployments are vulnerable regardless of configuration. Single-instance deployments have higher availability risk than clustered deployments.

📦 What is this software?

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage for single-instance deployments, making the Parse Server unavailable until manually restarted.

🟠

Likely Case

Service disruption causing downtime, potentially leading to application unavailability and business impact.

🟢

If Mitigated

Minimal impact in clustered environments where other instances can handle requests while affected instance recovers.

🌐 Internet-Facing: HIGH - Attackers can send crafted requests to crash the server without authentication.
🏢 Internal Only: MEDIUM - Internal users could still cause denial of service, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The advisory states 'certain types of invalid files requests' can trigger the crash, suggesting simple crafted requests can cause denial of service without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.12 or 5.2.3

Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9

Restart Required: Yes

Instructions:

1. Identify your Parse Server version. 2. Update to version 4.10.12 if using Parse Server 4.x. 3. Update to version 5.2.3 if using Parse Server 5.x. 4. Restart the Parse Server service.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Implement load balancing with multiple Parse Server instances to reduce availability impact
  • Deploy rate limiting and request validation at the network perimeter to filter suspicious file requests

🔍 How to Verify

Check if Vulnerable:

Check Parse Server version in package.json or via npm list parse-server

Check Version:

npm list parse-server | grep parse-server

Verify Fix Applied:

Confirm version is 4.10.12 or higher for 4.x branch, or 5.2.3 or higher for 5.x branch

📡 Detection & Monitoring

Log Indicators:

  • Parse Server process crashes
  • Unexpected restarts
  • Error logs related to file request processing

Network Indicators:

  • Sudden drop in Parse Server availability
  • Increased failed requests to Parse Server endpoints

SIEM Query:

source="parse-server" AND ("crash" OR "restart" OR "unhandled exception")

📊 Metadata

CVE ID: CVE-2022-31089
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-252
Published: June 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31089, you might also want to check these:

CVE-1999-0199 9.8

This CVE describes a documentation issue in glibc's tdelete function where the return value behavior...

Same vulnerability type (CWE-252)
CVE-2025-66565 9.8

A critical vulnerability in Fiber Utils library versions 2.0.0-rc.3 and below causes predictable UUI...

Same vulnerability type (CWE-252)
CVE-2021-26955 9.8

This vulnerability in the xcb Rust crate allows attackers to trigger undefined behavior by exploitin...

Same vulnerability type (CWE-252)