Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vm5r-c87r-pf6x

GitHub Security Advisory

Parse Server option `masterKeyIps` vulnerability to IP spoofing

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value.

### Patches

The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy` accordingly, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting.

### References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x
- https://expressjs.com/en/guide/behind-proxies.html

Affected Packages

npm parse-server
Affected versions: 0 (fixed in 5.4.1)

Related CVEs

CVE-2023-22474

Key Information

GHSA ID
GHSA-vm5r-c87r-pf6x
Published
January 31, 2023 10:21 PM
Last Modified
February 4, 2023 12:14 AM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
parse-server
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.