GHSA-593v-wcqx-hq2w: 
JavaScript vulnerability analysis and mitigation

A critical security incident was identified in parse-server (GHSA-593v-wcqx-hq2w) where unauthorized version tags were pushed to the Parse Server repository. The issue was discovered on July 21, 2021, affecting multiple versions ranging from 4.0.0 to 4.9.3. These incorrect tags linked to a personal fork of a contributor who had write access to the repository, and the associated code had not undergone official review or approval by Parse Platform (GitHub Advisory).

The vulnerability arose when incorrect version tags were linked to an external repository through a contributor's personal fork. While no official releases were published with these incorrect versions, users could still access the affected code by specifying direct Git dependencies, for example using "parse-server": "git@github.com:parse-community/parse-server.git#4.9.3". The issue affected numerous versions including beta releases from 4.0.0-beta1 through 4.9.3 (GitHub Advisory).

While no direct malicious code or immediate privacy and security concerns were identified, the vulnerability posed significant risks as some functionality was reported to work incorrectly, and the introduction of security vulnerabilities could not be ruled out. The impact extended to users of Bitnami images for Parse Server, as Bitnami had incorporated the incorrect version tag 4.9.3 into their published images (GitHub Advisory).

Two primary mitigation options were provided: users could either upgrade to version 4.10.0 (the recommended solution) or downgrade to version 4.5.2 as a workaround. The Parse Platform team strongly urged users of affected versions to upgrade to version 4.10.0 (GitHub Advisory).