10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27298

GHSA ID

GHSA-6927-3vr9-fxf2

EPSS Score

0.12148%

CWE

CWE-89

Published

3/1/2024

Updated

3/1/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-27298

CVE-2024-27298: ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Impact

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Patches

The algorithm to detect SQL injection has been improved.

Workarounds

None.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2
https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6)
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release)

Credits

Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder)
Ehsan Persania (remediation developer)
Manuel Trezza (coordinator)

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27298

GHSA ID

GHSA-6927-3vr9-fxf2

EPSS Score

0.12148%

CWE

CWE-89

Published

3/1/2024

Updated

3/1/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	< 6.5.0	6.5.0
parse-server	npm	>= 7.0.0-alpha.1, < 7.0.0-alpha.20	7.0.0-alpha.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the literalizeRegexPart function's handling of regex input sanitization. The commit diff shows the critical fix was adding the 'g' flag to .replace(/([^'])'/g, $1''), indicating the original implementation only replaced the first occurrence of unescaped single quotes. This incomplete escaping allowed SQL injection payloads like 'A'B';SELECT PG_SLEEP(3);--' to bypass sanitization. The added test case in vulnerabilities.spec.js explicitly validates this fix by testing a SQL injection attempt via $regex parameter, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *llows SQL inj**tion w**n P*rs* S*rv*r is *on*i*ur** to us* t** Post*r*SQL **t***s*. ### P*t***s T** *l*orit*m to **t**t SQL inj**tion **s ***n improv**. ### Work*roun*s Non*. ### R***r*n**s - *ttps://*it*u*.*om/p

Reasoning

T** vuln*r**ility st*ms *rom t** lit*r*liz*R***xP*rt *un*tion's **n*lin* o* r***x input s*nitiz*tion. T** *ommit *i** s*ows t** *riti**l *ix w*s ***in* t** '*' *l** to .r*pl***(/([^'])'/*, `$*''`), in*i**tin* t** ori*in*l impl*m*nt*tion only r*pl****

10

Basic Information

Concerned about an active attack path?

CVE-2024-27298: ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Impact

Patches

Workarounds

References

Credits

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI