CVE-2022-39313 - Vulnerability Details - OpenCVE

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00411.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Parseplatform	Parse-server

Configuration 1 [-]

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7100	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds.
Github GHSA	GHSA-h423-w6qv-2wj3	parse-server crashes when receiving file download request with invalid byte range

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3

History

Wed, 23 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-24T00:00:00.000Z

Updated: 2025-04-23T16:45:01.017Z

Reserved: 2022-09-02T00:00:00.000Z

Link: CVE-2022-39313

Vulnrichment

Updated: 2024-08-03T12:00:44.102Z

NVD

Status : Modified

Published: 2022-10-24T14:15:51.333

Modified: 2024-11-21T07:18:00.830

Link: CVE-2022-39313

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39313", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:45:01.017Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-24T00:00:00.000Z"}, "containers": {"cna": {"title": "Parse Server crashes when receiving file download request with invalid byte range", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-24T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds."}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 4.10.17", "status": "affected"}, {"version": ">= 5.0.0, < 5.2.8", "status": "affected"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "cweId": "CWE-1284"}]}], "source": {"advisory": "GHSA-h423-w6qv-2wj3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.102Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:49:54.286238Z", "id": "CVE-2022-39313", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:45:01.017Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39313", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:45:01.017Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-24T00:00:00.000Z"}, "containers": {"cna": {"title": "Parse Server crashes when receiving file download request with invalid byte range", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-24T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds."}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 4.10.17", "status": "affected"}, {"version": ">= 5.0.0, < 5.2.8", "status": "affected"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "cweId": "CWE-1284"}]}], "source": {"advisory": "GHSA-h423-w6qv-2wj3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.102Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39313", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:49:54.286238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:49:56.394Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DA06758A-242F-4041-9C99-8F1C4A10FEBB", "versionEndExcluding": "4.10.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7BA5CD83-258C-4925-A7CF-1B1F3B34BE55", "versionEndExcluding": "5.2.8", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede desplegarse en cualquier infraestructura que pueda ejecutar Node.js. Las versiones anteriores a 4.10.17, y anteriores a 5.2.8 en la rama 5.x, son bloqueados cuando es recibida una petici\u00f3n de descarga de archivos con un rango de bytes no v\u00e1lido, resultando en una Denegaci\u00f3n de Servicio. Este problema ha sido parcheado en versiones 4.10.17 y 5.2.8. No se presentan mitigaciones conocidas"}], "id": "CVE-2022-39313", "lastModified": "2024-11-21T07:18:00.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-24T14:15:51.333", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1284"}], "source": "nvd@nist.gov", "type": "Primary"}]}