Platform
nodejs
Component
parse-server
Fixed in
6.5.1
7.0.1
CVE-2024-27298 is a critical SQL injection vulnerability discovered in Parse Server, a Node.js/Express-based Parse backend. This flaw allows attackers to inject malicious SQL code when Parse Server is configured to use a PostgreSQL database, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions less than or equal to 6.5.0 and versions prior to 7.0.0-alpha.20. A fix has been released in versions 6.5.0 and 7.0.0-alpha.20.
Successful exploitation of CVE-2024-27298 could grant an attacker complete control over the underlying PostgreSQL database. This includes the ability to read, modify, or delete any data stored within the database, such as user credentials, application data, and configuration settings. Depending on the application's functionality, this could lead to a complete compromise of the Parse Server instance and any applications relying on it. The blast radius extends to all users and data associated with the affected Parse Server deployment. The SQL injection vulnerability bypasses standard input validation, allowing attackers to craft malicious queries directly impacting the database.
CVE-2024-27298 was publicly disclosed on March 1, 2024. No known active exploitation campaigns have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are expected to emerge given the severity and ease of exploitation of SQL injection vulnerabilities.
Exploit Status
EPSS
0.31% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2024-27298 is to immediately upgrade Parse Server to version 6.5.0 or 7.0.0-alpha.20 or later. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing stricter input validation and sanitization on all user-supplied data before it is used in SQL queries. While not a complete solution, using parameterized queries or prepared statements can help prevent SQL injection attacks. Review and audit existing SQL queries for potential vulnerabilities. After upgrading, verify the fix by attempting a SQL injection attack on a non-critical endpoint to ensure the vulnerability is no longer exploitable.
Update Parse Server to version 6.5.0 or higher, or to version 7.0.0-alpha.20 or higher. This corrects the (SQL Injection) vulnerability. Ensure thorough testing is performed after the update to verify application functionality.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-27298 is a critical SQL injection vulnerability affecting Parse Server versions less than or equal to 6.5.0 and versions prior to 7.0.0-alpha.20, allowing attackers to potentially extract sensitive data.
Yes, if you are running Parse Server versions ≤ 6.5.0 or < 7.0.0-alpha.20 and using a PostgreSQL database, you are vulnerable to this SQL injection flaw.
Upgrade Parse Server to version 6.5.0 or 7.0.0-alpha.20 or later to remediate the vulnerability. Consider input validation as a temporary workaround.
No active exploitation campaigns have been reported at this time, but public proof-of-concept exploits are likely to emerge.
Refer to the official Parse Server security advisory for detailed information and updates: [https://github.com/parse/parse-server/security/advisories/GHSA-9g4x-639x-4p7w](https://github.com/parse/parse-server/security/advisories/GHSA-9g4x-639x-4p7w)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.