Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-462x-c3jw-7vr6

GitHub Security Advisory

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

### Patches

Prevent prototype pollution in MongoDB database adapter.

### Workarounds

Disable remote code execution through the MongoDB BSON parser.

### Credits

- Discovered by hir0ot working with Trend Micro Zero Day Initiative
- Fixed by dbythy
- Reviewed by mtrezza

### References

- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
- https://github.com/advisories/GHSA-prm5-8g2m-24gg

Affected Packages

npm parse-server
Affected versions: 0 (fixed in 5.5.2)
npm parse-server
Affected versions: 6.0.0 (fixed in 6.2.1)

Related CVEs

CVE-2023-36475

Key Information

GHSA ID
GHSA-462x-c3jw-7vr6
Published
June 30, 2023 8:41 PM
Last Modified
June 30, 2023 8:41 PM
CVSS Score
9.0 /10
Primary Ecosystem
npm
Primary Package
parse-server
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.