CVE-2022-39313 Parse Server is an open source backend that runs on Node.js.

When uploading a file, there is an edge case where the payload data can be malformed in such a way that Parse Server crashes when parsing it. The crash can be triggered by sending a file of any kind, but it has been observed most often when uploading a .ParseFile file. When a crash occurs, it will look like this: The crash will occur in any server version from the beginning of the 4.10.x branch up to 5.2.8 on the 5.x branch. When a crash occurs, the only known workaround is to restart Parse Server.

Mitigation Strategies:

- Avoid sending files of any sort to Parse Server.
- If you have a .ParseFile file that crashes, restart the server and try again.
- If you are unable to resolve the crash, file an issue with our team on GitHub.

What is Parse Server?

Parse Server is used for hosting your applications and data. It includes support for features such as file uploads, multipart/form-data uploads, and indexing. It's also capable of running JSON serialization code in a streaming fashion on the fly. The fifth version of Parse Server was released on October 22nd, 2016 and will no longer receive updates.

Resolvers and .ParseFile

A .ParseFile is a file that has been uploaded to Parse Server. When connecting, this file will be parsed by the server and an object with information about the uploaded file will be created. This object will also have an ID number that can be used to load the file. The ID number is a unique number for each upload and it allows you to reload the uploaded file later on in case it gets deleted or something changes.
The interesting thing about a .ParseFile is that it is not actually a Parse Object itself but instead an object generated by Parse Server. This means that when a crash happens, there are no handlers set up, so there are no methods or any other code associated with it.

Parse Server Security Vulnerability: CVE-2015-39313

On May 23, 2015, we discovered a security vulnerability in Parse Server. This vulnerability could be exploited to cause a denial of service (DoS) attack on the server by uploading malformed payload data.
If you are using an earlier version of Parse Server (

Timeline

Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/24/2022 18:26:00 UTC

References