CVE-2023-36475: Parse Server Remote Code Execution Vulnerability

CVE-2023-36475

In the world of open-source backends, the highly celebrated Parse Server, a well-regarded stalwart in Node.js infrastructures, recently found a serious bug. A malicious entity, known as CVE-2023-36475, has managed to expose a critical vulnerability within the MongoDB BSON parser, a loophole capable of remote code execution through prototype pollution.

Parse Server, renowned for its seamless integration with the Express web application framework, serves as a backend that can be effortlessly deployed to any infrastructure compatible with Node.js. While its function can be incorporated into existing web applications, it also has the ability to operate independently. Yet beneath this cloak of versatility and ease lurks a threat that can leave its unsuspecting users susceptible to nefarious exploits.

CVE-2023-36475

The CVE-2023-36475 vulnerability, carrying a daunting CVSS score of 9.8, lies in the heart of the MongoDB BSON parser that Parse Server employs. Attackers, using this prototype pollution sink, have the ability to trigger remote code execution, wielding the power to manipulate systems from afar. The discovery of this critical vulnerability is credited to the vigilance of hir0ot, working in collaboration with Trend Micro Zero Day Initiative.

The version range where the systems are left vulnerable are those less than 5.5.2 or between 6.0.0 and less than 6.2.1. Fortunately, developers have rolled out patches to ameliorate this flaw. For systems operating on versions greater than or equal to 5.5.2 and less than 6.0.0, or versions greater than or equal to 6.2.1, the patches create a more fortified defense against this prototype pollution vulnerability.

These necessary patches work to prevent prototype pollution within the MongoDB database adapter, providing a stronger barrier against potential breaches. In the meantime, for systems where patch deployment may be delayed, disabling remote code execution through the MongoDB BSON parser can act as a workaround to the issue.