CVE-2024-27298: 
JavaScript vulnerability analysis and mitigation

CVE-2024-27298 is a SQL injection vulnerability in Parse Server, a Parse Server implementation for Node.js/Express, discovered in early 2024. The vulnerability affects Parse Server deployments configured to use PostgreSQL database in versions prior to 6.5.0 and 7.0.0-alpha.20. This security issue was assigned a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory).

The vulnerability exists in the PostgreSQL database adapter of Parse Server, specifically in the regex sanitization mechanism. The issue allows for SQL injection attacks when Parse Server is configured with PostgreSQL as the database backend. The vulnerability has been assigned CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

The vulnerability enables attackers to perform SQL injection attacks against Parse Server installations using PostgreSQL databases. This could potentially lead to unauthorized access to database contents and manipulation of data. The CVSS score of 10.0 (Critical) indicates the highest severity level, with the potential for high impact on both confidentiality and integrity of the system (GitHub Advisory).

The vulnerability has been fixed in Parse Server versions 6.5.0 and 7.0.0-alpha.20. Users are strongly advised to upgrade to these or later versions. The fix includes improvements to the SQL injection detection algorithm (GitHub Release, GitHub Release).

The vulnerability was discovered by Mikhail Shcherbakov working with Trend Micro Zero Day Initiative, and the fix was developed by Ehsan Parsania. The coordination of the disclosure was handled by Manuel Trezza (GitHub Advisory).