Description
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
Problem types
Download of Code Without Integrity Check
Product status
Any version before 4.10.0
4.10.0 (semver)
References
github.com/...server/security/advisories/GHSA-593v-wcqx-hq2w (GitHub Security Advisory (GHSA-593v-wcqx-hq2w))
www.vulncheck.com/...de-execution-via-malicious-version-tags (VulnCheck Advisory: Parse Server - Arbitrary Code Execution via Malicious Version Tags)