Parse Server SQL Injection Vulnerability in PostgreSQL Deployments

A SQL injection vulnerability has been identified in Parse Server versions 9.0.0 prior to 9.6.0-alpha.10 and 8.6.36 prior to 8.6.36. This issue arises when the server is configured to use PostgreSQL as the database. An attacker with access to the master key can exploit this vulnerability by injecting malicious SQL through crafted field names in query constraints. The exploitation takes place at the database level, bypassing the Parse Server abstraction layer entirely. The vulnerability is triggered by unparameterized string interpolation of field names in '$regex' query operators, allowing manipulation of the SQL query.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands in the database, potentially leading to unauthorized data access or modification.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.10 or 8.6.36 to address this vulnerability.