Miggo Logo

CVE-2023-22474: Parse Server option `masterKeyIps` vulnerability to IP spoofing

8.7

CVSS Score
3.1

Basic Information

EPSS Score
0.17444%
Published
1/31/2023
Updated
2/4/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-servernpm< 5.4.15.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how client IPs were determined. The original getClientIp function in middlewares.js directly used x-forwarded-for header and other network properties without proper proxy configuration checks. This allowed attackers to spoof IPs by manipulating headers when trustProxy wasn't set. The commit patched this by removing custom IP resolution logic and delegating to Express's req.ip which respects the trustProxy setting. The removed test cases in Middlewares.spec.js further confirm these IP resolution paths were considered vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*rs* S*rv*r us*s t** r*qu*st *****r `x-*orw*r***-*or` to **t*rmin* t** *li*nt IP ***r*ss. I* P*rs* S*rv*r *o*sn't run ***in* * proxy s*rv*r, t**n * *li*nt **n s*t t*is *****r *n* P*rs* S*rv*r will trust t** v*lu* o* t** *****r. T** in*or

Reasoning

T** vuln*r**ility st*mm** *rom *ow *li*nt IPs w*r* **t*rmin**. T** ori*in*l `**t*li*ntIp` *un*tion in `mi**l*w*r*s.js` *ir**tly us** `x-*orw*r***-*or` *****r *n* ot**r n*twork prop*rti*s wit*out prop*r proxy *on*i*ur*tion ****ks. T*is *llow** *tt**k*