CVE-2022-39396

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39396

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39396.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39396

Aliases

Published

2022-11-10T00:00:00Z

Modified

2025-12-04T10:36:28.327058Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser

Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.

Database specific

{
    "cwe_ids": [
        "CWE-1321"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39396.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/parse-community/parse-server

Affected ranges

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

Fixed

35346525e83f11314301ed01b13ae309950a52a8

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.10.18"
        }
    ]
}

Type

GIT

Repo

https://github.com/parse-community/parse-server

Events

Introduced

46c9a91627a0503f0364c4cc1cc9bba3c6a86d65

Fixed

2458a8c58d9a685145ddb4fe59968b5449b3b392

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.3.1"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.2

2.2.20

2.2.21

2.2.22

2.2.23

2.2.24

2.2.25

2.2.25-beta.1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.8.0

2.8.2

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.1.3

3.10.0

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.7.1

3.7.2

3.8.0

3.9.0

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.10.0

4.10.1

4.10.10

4.10.11

4.10.12

4.10.13

4.10.14

4.10.15

4.10.16

4.10.17

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.10.9

4.2.0

4.3.0

4.4.0

4.5.0

4.5.2

5.*

5.0.0

5.0.0-alpha.10

5.0.0-alpha.11

5.0.0-alpha.12

5.0.0-alpha.13

5.0.0-alpha.14

5.0.0-alpha.15

5.0.0-alpha.16

5.0.0-alpha.17

5.0.0-alpha.18

5.0.0-alpha.19

5.0.0-alpha.20

5.0.0-alpha.21

5.0.0-alpha.22

5.0.0-alpha.23

5.0.0-alpha.24

5.0.0-alpha.25

5.0.0-alpha.26

5.0.0-alpha.27

5.0.0-alpha.28

5.0.0-alpha.29

5.0.0-alpha.6

5.0.0-alpha.7

5.0.0-alpha.8

5.0.0-alpha.9

5.0.0-beta.10

5.1.0

5.1.1

5.2.0

5.2.0-alpha.1

5.2.0-alpha.2

5.2.0-alpha.3

5.2.0-beta.1

5.2.0-beta.2

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.3.0

5.3.0-alpha.10

5.3.0-alpha.11

5.3.0-alpha.12

5.3.0-alpha.13

5.3.0-alpha.14

5.3.0-alpha.15

5.3.0-alpha.16

5.3.0-alpha.17

5.3.0-alpha.18

5.3.0-alpha.7

5.3.0-alpha.8

5.3.0-alpha.9

5.3.0-beta.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39396.json"