Description
Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
Problem types
Download of Code Without Integrity Check
Product status
Any version before 4.10.0
4.10.0 (semver)
References
github.com/...server/security/advisories/GHSA-593v-wcqx-hq2w (GitHub Security Advisory (GHSA-593v-wcqx-hq2w))
www.vulncheck.com/...de-execution-via-malicious-version-tags (VulnCheck Advisory: Parse Server - Unreviewed Code Execution via Malicious Version Tags)