Skip to content

Server crashes on invalid Cloud Function or Cloud Job name

Critical
mtrezza published GHSA-6hh7-46r2-vf29 Mar 19, 2024

Package

npm parse-server (npm)

Affected versions

<6.5.4

Patched versions

>=6.5.5

Description

Impact

Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.

Patches

Added string sanitation for Cloud Function name and Cloud Job name.

Workarounds

Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.

References

Severity

Critical
9.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2024-29027

Weaknesses

No CWEs

Credits