CVE-2023-41058: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source backend server, was found to contain a security vulnerability (CVE-2023-41058) where the Parse Cloud trigger beforeFind was not invoked in certain conditions of Parse.Query. The vulnerability was discovered and disclosed in September 2023, affecting Parse Server versions prior to 5.5.5 and 6.2.2. The issue impacted deployments where the beforeFind trigger was used as a security layer to modify incoming queries (GitHub Advisory).

The vulnerability allowed a Parse Pointer to be used to access internal Parse Server classes and circumvent the beforeFind query trigger. This created a security weakness particularly in deployments that relied on the beforeFind trigger as a security layer for modifying incoming queries. The issue received a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (GitHub Advisory).

The vulnerability could allow unauthorized access to internal Parse Server classes and bypass security controls implemented through the beforeFind trigger. This could potentially lead to unauthorized data access in systems that relied on beforeFind triggers for implementing security measures (GitHub Advisory).

The vulnerability has been patched in Parse Server versions 5.5.5 and 6.2.2 through a refactoring of the internal query pipeline for a more concise code structure and implementing a patch to ensure the beforeFind trigger is invoked. For users unable to upgrade, the recommended workaround is to use Parse Server's built-in security layers to manage access levels with Class-Level Permissions and Object-Level Access Control instead of custom security layers in Cloud Code triggers (GitHub Advisory).