CVE-2024-47183 – Parse Server versions before 6.5.9 and 7.3.0 wi... (How to Fix)

Q: What is the severity of CVE-2024-47183?

CVE-2024-47183 has a CVSS score of 8.1 (HIGH). Parse Server versions before 6.5.9 and 7.3.0 with allowCustomObjectId enabled are vulnerable to privilege escalation. An attacker who can create new users can set custom object IDs to gain unauthorized role privileges. This affects any Parse Server deployment with the vulnerable configuration.

📋 TL;DR

Parse Server versions before 6.5.9 and 7.3.0 with allowCustomObjectId enabled are vulnerable to privilege escalation. An attacker who can create new users can set custom object IDs to gain unauthorized role privileges. This affects any Parse Server deployment with the vulnerable configuration.

💻 Affected Systems

Products:

Parse Server

Versions: All versions before 6.5.9 and 7.x before 7.3.0

Operating Systems: Any OS running Node.js

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when allowCustomObjectId: true is set in configuration.

📦 What is this software?

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

Parse Server by Parseplatform

View all CVEs affecting Parse Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains administrative privileges, leading to complete system compromise, data exfiltration, or service disruption.

🟠

Likely Case

Attacker escalates to privileged roles, accessing sensitive data or performing unauthorized actions within the application.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized role access within the compromised user's scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user creation permissions. The vulnerability is well-documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.9 or 7.3.0

Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg

Restart Required: Yes

Instructions:

1. Update Parse Server to version 6.5.9 or 7.3.0 using npm update parse-server. 2. Restart the Parse Server application. 3. Verify the update with npm list parse-server.

🔧 Temporary Workarounds

Disable allowCustomObjectId

all

Set allowCustomObjectId: false in Parse Server configuration to prevent exploitation.

Edit parse-server configuration file and set allowCustomObjectId: false

🧯 If You Can't Patch

Implement strict access controls to limit user creation permissions.
Monitor logs for unusual user creation patterns or role assignment attempts.

🔍 How to Verify

Check if Vulnerable:

Check Parse Server version and configuration. If version <6.5.9 or 7.x <7.3.0 and allowCustomObjectId: true, system is vulnerable.

Check Version:

npm list parse-server

Verify Fix Applied:

Confirm Parse Server version is 6.5.9 or 7.3.0+ and test user creation with custom object IDs.

📡 Detection & Monitoring

Log Indicators:

Unusual user creation events with custom object IDs
Role assignment to newly created users

Network Indicators:

HTTP POST requests to user creation endpoints with custom objectId parameters

SIEM Query:

source="parse-server" AND (event="user_creation" OR event="role_assignment") AND objectId=*

📊 Metadata

CVE ID: CVE-2024-47183

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-285

Published: October 4, 2024

Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47183, you might also want to check these: