Login Sign Up

CVE-2024-27298

10.0 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in parse-server allows attackers to execute arbitrary SQL commands when the server is configured with PostgreSQL. It affects all parse-server deployments using PostgreSQL database backend. The vulnerability could lead to data theft, modification, or deletion.

💻 Affected Systems

Products:
  • parse-server
Versions: All versions before 6.5.0 and 7.0.0-alpha.20
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects parse-server deployments using PostgreSQL database adapter. MySQL and MongoDB adapters are not affected.

📦 What is this software?

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data destruction, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access and manipulation, potentially exposing sensitive user data stored in Parse applications.

🟢

If Mitigated

Limited impact due to network segmentation, database user privilege restrictions, and input validation at application layer.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity. The advisory suggests the vulnerability is in query building logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.0 or 7.0.0-alpha.20

Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2

Restart Required: Yes

Instructions:

1. Update parse-server package: npm update parse-server
2. Verify version is 6.5.0 or higher: npm list parse-server
3. Restart your parse-server application
4. Test application functionality

🔧 Temporary Workarounds

Switch to MySQL or MongoDB

all

Temporarily switch database adapter to MySQL or MongoDB which are not affected by this vulnerability

Update parse-server configuration to use mysql or mongodb adapter

Database Firewall Rules

all

Implement database firewall to restrict SQL queries and block injection patterns

🧯 If You Can't Patch

  • Implement WAF rules to detect and block SQL injection patterns
  • Restrict database user permissions to minimum required operations

🔍 How to Verify

Check if Vulnerable:

Check parse-server version and database configuration. If using PostgreSQL and version <6.5.0, you are vulnerable.

Check Version:

npm list parse-server | grep parse-server

Verify Fix Applied:

Verify parse-server version is 6.5.0 or higher and test application queries work correctly.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns in PostgreSQL logs
  • Multiple failed query attempts with SQL syntax errors
  • Unexpected database schema changes

Network Indicators:

  • Unusual API request patterns to parse-server endpoints
  • Large data transfers from database server

SIEM Query:

source="postgresql" AND ("syntax error" OR "unexpected token" OR "malformed array literal")

📊 Metadata

CVE ID: CVE-2024-27298
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-89
Published: March 1, 2024
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27298, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)