Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-prm5-8g2m-24gg

GitHub Security Advisory

Remote code execution via MongoDB BSON parser through prototype pollution

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

### Patches

Prevent prototype pollution in MongoDB database adapter.

### Workarounds

Disable remote code execution through the MongoDB BSON parser.

### Collaborators

Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative

### References

- https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg

Affected Packages

npm parse-server
Affected versions: 0 (fixed in 4.10.18)
npm parse-server
Affected versions: 5.0.0 (fixed in 5.3.1)

Related CVEs

CVE-2022-39396

Key Information

GHSA ID
GHSA-prm5-8g2m-24gg
Published
November 8, 2022 5:29 PM
Last Modified
November 9, 2022 12:04 AM
CVSS Score
9.0 /10
Primary Ecosystem
npm
Primary Package
parse-server
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 9, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.