Parse Server SQL Injection Vulnerability in PostgreSQL Storage Adapter

A SQL injection vulnerability has been identified in Parse Server versions 9.0.0 prior to 9.6.0-alpha.5 and 8.6.31 prior to 8.6.31. This vulnerability exists in the PostgreSQL storage adapter when processing 'Increment' operations on nested object fields using dot notation, such as 'stats.counter'. The issue arises because the sub-key name is directly interpolated into SQL string literals without proper escaping. An attacker capable of sending write requests to the Parse Server REST API can exploit this by injecting arbitrary SQL through a crafted sub-key name that includes single quotes. This could lead to executing commands or reading data from the database, bypassing Class Level Permissions (CLPs) and Access Control Lists (ACLs). Only deployments using PostgreSQL are affected.

Impact

Exploitation allows for arbitrary SQL injection, potentially leading to unauthorized data access or manipulation in the database.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.5 or 8.6.31 to address this vulnerability.