Parse Server PostgreSQL Storage Adapter SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the PostgreSQL storage adapter of Parse Server. This issue arises when processing 'Increment' operations on nested object fields using dot notation, such as 'stats.counter'. The vulnerability allows an attacker to inject arbitrary SQL subqueries into the database query. This is possible because the 'amount' value is directly interpolated into the SQL query without proper parameterization or type validation. As a result, an attacker who can send write requests to the Parse Server REST API could exploit this vulnerability to read any data from the database, bypassing Class Level Permissions (CLPs) and Access Control Lists (ACLs). It is important to note that this vulnerability does not affect MongoDB deployments.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate SQL queries and potentially read sensitive data from the database.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.3 or 8.6.29 to address this vulnerability.