CVE-2022-24760: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source http web server backend, contained a Remote Code Execution (RCE) vulnerability in versions prior to 4.10.7. The vulnerability affected Parse Server in the default configuration with MongoDB, stemming from Prototype Pollution vulnerable code in the DatabaseController.js file. This vulnerability was confirmed on both Linux (Ubuntu) and Windows systems (GitHub Advisory).

The vulnerability (CVE-2022-24760) was rated as CRITICAL with a CVSS v3.1 Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The main weakness was identified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The vulnerability allowed attackers to exploit prototype pollution to trigger remote code execution through the MongoDB BSON parser (NVD).

The vulnerability allowed remote attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. The issue affected both the MongoDB configuration and likely extended to Postgres and other database backends (GitHub Advisory).

The primary mitigation is to upgrade to Parse Server version 4.10.7 or later. A temporary workaround involves patching the MongoDB Node.js driver and disabling BSON code execution by adding specific code before starting Parse Server. The fix includes a new security feature that scans for sensitive keywords in request data to prevent JavaScript prototype pollution, with default keywords including {bsontype: 'Code'}, constructor, and _proto__ (GitHub Advisory).