Login Sign Up

CVE-2023-36475

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Parse Server allows attackers to perform prototype pollution attacks that can lead to remote code execution through the MongoDB BSON parser. Any Parse Server deployment prior to versions 5.5.2 or 6.2.1 is affected. Attackers can potentially take full control of affected servers.

💻 Affected Systems

Products:
  • Parse Server
Versions: All versions prior to 5.5.2 and 6.2.1
Operating Systems: Any OS running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: All Parse Server deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining remote code execution, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for service disruption if exploited.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is publicly documented with proof-of-concept available, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.2 or 6.2.1

Vendor Advisory: https://github.com/parse-community/parse-server/releases/tag/5.5.2

Restart Required: Yes

Instructions:

1. Update Parse Server to version 5.5.2 or 6.2.1 using npm update parse-server. 2. Restart the Parse Server application. 3. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Parse Server instances to minimize attack surface

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach Parse Server
  • Deploy web application firewall rules to detect and block prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json for Parse Server version or run 'npm list parse-server'

Check Version:

npm list parse-server | grep parse-server

Verify Fix Applied:

Verify installed version is 5.5.2 or higher (for 5.x) or 6.2.1 or higher (for 6.x)

📡 Detection & Monitoring

Log Indicators:

  • Unusual MongoDB BSON parsing errors
  • Unexpected process spawns from Parse Server
  • Prototype pollution related error messages

Network Indicators:

  • Unusual outbound connections from Parse Server
  • Suspicious payloads containing __proto__ or constructor properties

SIEM Query:

process.name:"node" AND (process.args:"parse-server" OR process.parent.name:"parse-server") AND event.action:"process_start"

📊 Metadata

CVE ID: CVE-2023-36475
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: June 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36475, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)