Miggo Logo

CVE-2022-31089: Invalid file request can crash server

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.54244%
Published
6/20/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-servernpm< 4.10.124.10.12
parse-servernpm>= 5.0.0, < 5.2.35.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper error handling in file request processing. The commit diff shows:

  1. In getHandler: Added config null-check to prevent accessing undefined properties (CWE-252)
  2. In metadataHandler: Moved config retrieval inside try-block to ensure proper error catching These changes directly address unvalidated return values from Config.get() and improper error handling boundaries. The CWE-252 mapping confirms this relates to unchecked return values (config validation). The added tests verify crashes occurred when these functions processed invalid requests without proper checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **rt*in typ*s o* inv*li* *il*s r*qu*sts *r* not **n*l** prop*rly *n* **n *r*s* t** s*rv*r. I* you *r* runnin* multipl* P*rs* S*rv*r inst*n**s in * *lust*r, t** *v*il**ility imp**t m*y ** low; i* you *r* runnin* P*rs* S*rv*r *s * sin*l* ins

Reasoning

T** vuln*r**ility st*ms *rom improp*r *rror **n*lin* in *il* r*qu*st pro**ssin*. T** *ommit *i** s*ows: *. In **t**n*l*r: ***** *on*i* null-****k to pr*v*nt ****ssin* un***in** prop*rti*s (*W*-***) *. In m*t***t***n*l*r: Mov** *on*i* r*tri*v*l insi**