CVE-2022-31089: Invalid file request can crash server
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54244%
CWE
Published
6/20/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
parse-server | npm | < 4.10.12 | 4.10.12 |
parse-server | npm | >= 5.0.0, < 5.2.3 | 5.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper error handling in file request processing. The commit diff shows:
- In getHandler: Added config null-check to prevent accessing undefined properties (CWE-252)
- In metadataHandler: Moved config retrieval inside try-block to ensure proper error catching These changes directly address unvalidated return values from Config.get() and improper error handling boundaries. The CWE-252 mapping confirms this relates to unchecked return values (config validation). The added tests verify crashes occurred when these functions processed invalid requests without proper checks.