CVE-2023-22474
📋 TL;DR
Parse Server versions before 5.4.1 incorrectly trust the x-forwarded-for header to determine client IP addresses when not behind a proxy. This allows attackers to spoof their IP address, potentially bypassing IP-based access controls like masterKeyIps. Any Parse Server deployment not behind a properly configured proxy is affected.
💻 Affected Systems
- Parse Server
📦 What is this software?
Parse Server by Parseplatform
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass IP-based authentication controls, gain unauthorized access to protected resources, and potentially compromise sensitive data or administrative functions.
Likely Case
Unauthorized access to APIs or services protected by IP-based restrictions, potentially leading to data exposure or privilege escalation.
If Mitigated
Limited impact with proper proxy configuration and IP validation controls in place.
🎯 Exploit Status
Exploitation requires sending crafted HTTP headers; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.1
Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x
Restart Required: Yes
Instructions:
1. Update Parse Server to version 5.4.1 or later using npm update parse-server. 2. If behind a proxy, configure the trustProxy option appropriately. 3. Restart the Parse Server application.
🔧 Temporary Workarounds
Deploy behind reverse proxy
allPlace Parse Server behind a properly configured reverse proxy that strips or validates x-forwarded-for headers.
# Configure nginx: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Configure Apache: RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
Middleware IP validation
allImplement custom middleware to validate client IP addresses before Parse Server processes requests.
// Example Express middleware: app.use((req, res, next) => { const clientIP = req.headers['x-forwarded-for'] || req.connection.remoteAddress; // Validate IP logic });
🧯 If You Can't Patch
- Deploy Parse Server behind a reverse proxy with proper x-forwarded-for header handling.
- Implement network-level IP filtering or firewall rules to restrict access to trusted IP ranges only.
🔍 How to Verify
Check if Vulnerable:
Check Parse Server version and configuration: if version <5.4.1 and not behind a proxy with trustProxy configured, it's vulnerable.Check Version:
npm list parse-server | grep parse-serverVerify Fix Applied:
After updating to 5.4.1+, verify the trustProxy option is correctly set based on deployment architecture.📡 Detection & Monitoring
Log Indicators:
- Unusual IP addresses in access logs that don't match network source IPs
- Failed authentication attempts from unexpected IP ranges
Network Indicators:
- HTTP requests with manipulated x-forwarded-for headers from untrusted sources
SIEM Query:
source="parse-server" AND "x-forwarded-for" AND NOT src_ip IN (trusted_ip_ranges)🔗 References
- https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8
- https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x
- https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8
- https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x
- https://security.netapp.com/advisory/ntap-20230309-0005/
