Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround.
CVSS Information
N/A
Vulnerability Type
CWE-1321
Vulnerability Title
Parse Server 安全漏洞
Vulnerability Description
Parse Server是Parse Platform开源的一个开源后端,可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 9.6.0-alpha.24之前版本和8.6.47之前版本存在安全漏洞,该漏洞源于云函数名称解析可遍历原型链,可能导致堆栈溢出。
CVSS Information
N/A
Vulnerability Type
N/A