CVE-2024-29027: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, was found to have a critical vulnerability (CVE-2024-29027) discovered in March 2024. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name could crash the server and potentially allow for code injection, internal store manipulation, or remote code execution (GitHub Advisory).

The vulnerability stems from improper validation of Cloud Function and Cloud Job names. When processing these names, the server lacked proper string sanitation, which could lead to server crashes and potential security exploits. The issue has been assigned a CVSS v3.1 base score of 9.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating a high-severity vulnerability that can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

The vulnerability could allow attackers to crash the server, potentially inject malicious code, manipulate internal store data, or achieve remote code execution. The high CVSS score reflects the serious potential impact on system confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in Parse Server versions 6.5.5 and 7.0.0-alpha.29 by adding string sanitation for Cloud Function names and Cloud Job names. As a workaround for users unable to update immediately, it is recommended to sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server (GitHub Advisory).