Parse JavaScript SDK Prototype Pollution Vulnerability in Object APIs Allowing Remote Code Execution

A prototype pollution vulnerability has been identified in the Parse JavaScript SDK, specifically in version 7.0.0 and prior. This vulnerability allows for the injection of malicious payloads, which can lead to the remote execution of arbitrary code. The issue affects the `ParseObject.fromJSON`, `ParseObject.pin`, `ParseObject.registerSubclass`, `ObjectStateMutations`, and the internal `encode`/`decode` APIs. The vulnerability arises from insufficient validation of property names, enabling the manipulation of the prototype chain.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into an object's prototype. This can lead to the execution of arbitrary code, especially if the polluted prototype is subsequently processed by code that relies on the integrity of object properties.

Reproduction

The vulnerability can be reproduced by using the `ParseObject.fromJSON` method to parse a JSON object that includes dangerous keys such as `__proto__`, `constructor`, or `prototype`. This can be done by creating a JSON object that contains these keys and their associated values, which can include payloads designed to exploit the vulnerability. Once the object is parsed, the injected properties can be accessed, demonstrating the pollution of the prototype.

Remediation

Users can upgrade to Parse JavaScript SDK version 7.0.0 or later, where this vulnerability has been fixed.