Parse Server Prototype Chain Traversal Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Parse Server, an open-source backend framework that runs on Node.js. This issue affects versions 9.0.0 prior to 9.6.0-alpha.24 and versions prior to 8.6.47. The vulnerability arises when remote clients call a cloud function endpoint with a specially crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler. This traversal can lead to a stack overflow, crashing the Parse Server process. The vulnerability has been patched in versions 9.6.0-alpha.24 and 8.6.47 by restricting property lookups during cloud function name resolution to only include own properties, thereby preventing prototype chain traversal from stored function handlers.

Impact

Exploitation of this vulnerability can cause the Parse Server process to crash, leading to a denial-of-service condition where the server becomes unresponsive or unavailable.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.24 or 8.6.47 to address this vulnerability. Instructions for upgrading can be found in the Parse Server documentation.