CRITICAL 9.0
GHSA-6hh7-46r2-vf29
Server crashes on invalid Cloud Function or Cloud Job name
Details
### Impact
Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.
### Patches
Added string sanitation for Cloud Function name and Cloud Job name.
### Workarounds
Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
### References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 - https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha) - https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)
Are you affected?
Enter the version of the package you're using.
Affected packages
npm / parse-server
Introduced in:
7.0.0-alpha.1 Fixed in: 7.0.0-alpha.29 Fix
npm install parse-server@7.0.0-alpha.29 References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-29027 [ADVISORY]
- https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b [WEB]
- https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e [WEB]
- https://github.com/parse-community/parse-server [PACKAGE]
- https://github.com/parse-community/parse-server/releases/tag/6.5.5 [WEB]
- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 [WEB]