7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41878

GHSA ID

GHSA-xprv-wvh7-qqqx

EPSS Score

0.15429%

CWE

CWE-1321

Published

11/9/2022

Updated

8/21/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41878

CVE-2022-41878: Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Impact

Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-41878

CVE-2022-41878:

7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41878

GHSA ID

GHSA-xprv-wvh7-qqqx

EPSS Score

0.15429%

CWE

CWE-1321

Published

11/9/2022

Updated

8/21/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	< 4.10.19	4.10.19
parse-server	npm	>= 5.0.0, < 5.3.2	5.3.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing requestKeywordDenylist validation after Cloud Code trigger execution. The commit diff shows the fix added checkProhibitedKeywords() to runBeforeSaveTrigger, indicating this was the missing validation point. The tests demonstrate that trigger-modified data with 'constructor.prototype' payloads would bypass checks in vulnerable versions. The RestWrite.js file's runBeforeSaveTrigger function was responsible for processing trigger-modified data without re-validation, making it the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-41878: Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Impact

Patches

Workarounds

Collaborators

References

CVE-2022-41878:

7.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2022-41878: Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Impact

Patches

Workarounds

Collaborators

References

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.2

7.2

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI