CVE-2022-41879: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source backend deployable on Node.js infrastructure, was found to contain a vulnerability (CVE-2022-41879) that affects versions prior to 5.3.3 or 4.10.20. The vulnerability was disclosed on November 10, 2022, and allows attackers to bypass the Parse Server requestKeywordDenylist option through prototype pollution via compromised Cloud Code Webhook target endpoints (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST and 7.2 (HIGH) by GitHub. The vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no user interaction (UI:N). The scope is unchanged (S:U) with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If successfully exploited, the vulnerability allows attackers to bypass the Parse Server's security controls through prototype pollution, specifically circumventing the requestKeywordDenylist option. This could potentially lead to unauthorized access and manipulation of server functionality (GitHub Advisory).

The vulnerability has been patched in Parse Server versions 5.3.3 and 4.10.20 through improved keyword detection. There are no known workarounds for affected versions, making it crucial for users to upgrade to the patched versions (GitHub Advisory).