-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability stems from the literalizeRegexPart function's handling of regex input sanitization. The commit diff shows the critical fix was adding the 'g' flag to .replace(/([^'])'/g, $1''), indicating the original implementation only replaced the first occurrence of unescaped single quotes. This incomplete escaping allowed SQL injection payloads like 'A'B';SELECT PG_SLEEP(3);--' to bypass sanitization. The added test case in vulnerabilities.spec.js explicitly validates this fix by testing a SQL injection attempt via $regex parameter, confirming the function's role in the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| parse-server | npm | < 6.5.0 | 6.5.0 |
| parse-server | npm | >= 7.0.0-alpha.1, < 7.0.0-alpha.20 | 7.0.0-alpha.20 |
Ongoing coverage of React2Shell