CVE-2022-39396: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, was found to contain a critical Remote Code Execution vulnerability (CVE-2022-39396). The vulnerability affected versions prior to 4.10.18 and prior to 5.3.1 on the 5.X branch. This security flaw was discovered by researchers Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA), and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative (GitHub Advisory, ZDI Advisory).

The vulnerability exists within the transformUpdate function and stems from the lack of control over modifications to attributes of object prototypes. It has been classified as a prototype pollution vulnerability (CWE-1321). The issue received a Critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature (ZDI Advisory).

An attacker can leverage this vulnerability to execute arbitrary code in the context of the service account through the MongoDB BSON parser. The high CVSS score indicates that successful exploitation could lead to complete system compromise, affecting the confidentiality, integrity, and availability of the target system (GitHub Advisory).

The vulnerability has been patched in versions 5.3.1 and 4.10.18. The fix prevents prototype pollution in the MongoDB database adapter. For systems that cannot immediately update, there are no known workarounds (GitHub Advisory).