CVE-2023-36475: 
JavaScript vulnerability analysis and mitigation

CVE-2023-36475 is a critical vulnerability in Parse Server, an open source backend that can be deployed to any infrastructure running Node.js. The vulnerability was discovered by hir0ot working with Trend Micro Zero Day Initiative and was disclosed on June 28, 2023. It affects Parse Server versions prior to 5.5.2 and versions 6.0.0 to 6.2.1. The vulnerability carries a CVSS score of 9.8, indicating its critical severity (GitHub Advisory, ZDI).

The vulnerability exists within the MongoDB BSON parser that Parse Server employs. An attacker can exploit a prototype pollution sink to trigger remote code execution. The issue specifically lies in the lack of control over modifications to attributes of object prototypes, which can be leveraged to execute arbitrary code in the context of the service account (Security Online, ZDI).

The vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. The high CVSS score of 9.8 indicates that successful exploitation could lead to complete system compromise, with potential impacts on the confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability has been patched in Parse Server versions 5.5.2 and 6.2.1. The fix prevents prototype pollution in the MongoDB database adapter. For systems where patch deployment may be delayed, a workaround is available by disabling remote code execution through the MongoDB BSON parser (GitHub Advisory).