8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-22474

GHSA ID

GHSA-vm5r-c87r-pf6x

EPSS Score

0.17444%

CWE

CWE-290

Published

1/31/2023

Updated

2/4/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-22474

CVE-2023-22474: Parse Server option `masterKeyIps` vulnerability to IP spoofing

Impact

Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option masterKeyIps by setting an allowed IP address as the x-forwarded-for header value.

Patches

The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option trustProxy accordingly, see the express framework's trust proxy setting.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x
https://expressjs.com/en/guide/behind-proxies.html

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-22474

GHSA ID

GHSA-vm5r-c87r-pf6x

EPSS Score

0.17444%

CWE

CWE-290

Published

1/31/2023

Updated

2/4/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	< 5.4.1	5.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from how client IPs were determined. The original getClientIp function in middlewares.js directly used x-forwarded-for header and other network properties without proper proxy configuration checks. This allowed attackers to spoof IPs by manipulating headers when trustProxy wasn't set. The commit patched this by removing custom IP resolution logic and delegating to Express's req.ip which respects the trustProxy setting. The removed test cases in Middlewares.spec.js further confirm these IP resolution paths were considered vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*rs* S*rv*r us*s t** r*qu*st *****r `x-*orw*r***-*or` to **t*rmin* t** *li*nt IP ***r*ss. I* P*rs* S*rv*r *o*sn't run ***in* * proxy s*rv*r, t**n * *li*nt **n s*t t*is *****r *n* P*rs* S*rv*r will trust t** v*lu* o* t** *****r. T** in*or

Reasoning

T** vuln*r**ility st*mm** *rom *ow *li*nt IPs w*r* **t*rmin**. T** ori*in*l `**t*li*ntIp` *un*tion in `mi**l*w*r*s.js` *ir**tly us** `x-*orw*r***-*or` *****r *n* ot**r n*twork prop*rti*s wit*out prop*r proxy *on*i*ur*tion ****ks. T*is *llow** *tt**k*

8.7

Basic Information

Concerned about an active attack path?

CVE-2023-22474: Parse Server option `masterKeyIps` vulnerability to IP spoofing

Impact

Patches

References

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI