8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-47183

GHSA ID

GHSA-8xq9-g7ch-35hg

EPSS Score

0.35331%

CWE

CWE-285

Published

10/4/2024

Updated

11/13/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-47183

CVE-2024-47183: Parse Server's custom object ID allows to acquire role privileges

Impact

If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.

Patches

Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected.

Workarounds

Disable custom object IDs by setting allowCustomObjectId: false or not setting the option which defaults to false.
Use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix role:.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg
https://github.com/parse-community/parse-server/pull/9317 (fix for Parse Server 7)
https://github.com/parse-community/parse-server/pull/9318 (fix for Parse Server 6)

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-47183

GHSA ID

GHSA-8xq9-g7ch-35hg

EPSS Score

0.35331%

CWE

CWE-285

Published

10/4/2024

Updated

11/13/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	< 6.5.9	6.5.9
parse-server	npm	>= 7.0.0, < 7.3.0	7.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) The user creation endpoint (handleCreate in ClassesRouter) didn't prevent object IDs starting with 'role:' which are reserved for system roles. 2) The session authentication logic (getAuthForSessionToken in Auth.js) didn't invalidate existing sessions using these poisoned IDs. The commit diffs show added validation in both locations - object ID prefix check during user creation and session token validation - confirming these were the vulnerable points before patching.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* t** P*rs* S*rv*r option `*llow*ustomO*j**tI*: tru*` is s*t, *n *tt**k*r t**t is *llow** to *r**t* * n*w us*r **n s*t * *ustom o*j**t I* *or t**t n*w us*r t**t *xploits t** vuln*r**ility *n* **quir*s privil***s o* * sp**i*i* rol*. ###

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** us*r *r**tion *n*point (`**n*l**r**t*` in `*l*ss*sRout*r`) *i*n't pr*v*nt o*j**t I*s st*rtin* wit* 'rol*:' w*i** *r* r*s*rv** *or syst*m rol*s. *) T** s*ssion *ut**nti**tion lo*i* (`**t*ut**orS*ssio

8.1

Basic Information

Concerned about an active attack path?

CVE-2024-47183: Parse Server's custom object ID allows to acquire role privileges

Impact

Patches

Workarounds

References

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI