CVE-2024-27298 - Vulnerability Details - OpenCVE

parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00079.

Key SSVC decision points have not yet been added.

Vendors	Products
Parse Community	Parse Server

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Parse Community	Parse Server

Advisories

Source	ID	Title
EUVD	EUVD-2024-0843	parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
Github GHSA	GHSA-6927-3vr9-fxf2	ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504
https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833
https://github.com/parse-community/parse-server/releases/tag/6.5.0
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20
https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-01T17:48:52.919Z

Updated: 2024-08-22T18:28:04.258Z

Reserved: 2024-02-22T18:08:38.875Z

Link: CVE-2024-27298

Vulnrichment

Updated: 2024-08-02T00:27:59.923Z

NVD

Status : Awaiting Analysis

Published: 2024-03-01T18:15:28.913

Modified: 2024-11-21T09:04:16.450

Link: CVE-2024-27298

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-12T22:31:19Z

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27298", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-22T18:08:38.875Z", "datePublished": "2024-03-01T17:48:52.919Z", "dateUpdated": "2024-08-22T18:28:04.258Z"}, "containers": {"cna": {"title": "Parse Server literalizeRegexPart SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}, {"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": "< 6.5.0", "status": "affected"}, {"version": ">= 7.0.0-alpha.1, < 7.0.0-alpha.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-01T17:48:52.919Z"}, "descriptions": [{"lang": "en", "value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"}], "source": {"advisory": "GHSA-6927-3vr9-fxf2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.923Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}, {"name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}]}, {"affected": [{"vendor": "parseplatform", "product": "parse-server", "cpes": ["cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.5.0", "versionType": "custom"}, {"version": "7.0.0-alpha.1", "status": "affected", "lessThan": "7.0.0-alpha.20", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-05T15:39:53.508702Z", "id": "CVE-2024-27298", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T18:28:04.258Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.923Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27298", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-05T15:39:53.508702Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"], "vendor": "parseplatform", "product": "parse-server", "versions": [{"status": "affected", "version": "0", "lessThan": "6.5.0", "versionType": "custom"}, {"status": "affected", "version": "7.0.0-alpha.1", "lessThan": "7.0.0-alpha.20", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T18:27:16.230Z"}}], "cna": {"title": "Parse Server literalizeRegexPart SQL Injection", "source": {"advisory": "GHSA-6927-3vr9-fxf2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": "< 6.5.0"}, {"status": "affected", "version": ">= 7.0.0-alpha.1, < 7.0.0-alpha.20"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "name": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "name": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "name": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "name": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-01T17:48:52.919Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27298", "state": "PUBLISHED", "dateUpdated": "2024-08-22T18:28:04.258Z", "dateReserved": "2024-02-22T18:08:38.875Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-01T17:48:52.919Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.\n"}, {"lang": "es", "value": "parse-server es un servidor Parse para Node.js/Express. Esta vulnerabilidad permite la inyecci\u00f3n de SQL cuando Parse Server est\u00e1 configurado para utilizar la base de datos PostgreSQL. La vulnerabilidad se solucion\u00f3 en 6.5.0 y 7.0.0-alpha.20. "}], "id": "CVE-2024-27298", "lastModified": "2024-11-21T09:04:16.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-01T18:15:28.913", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}, {"source": "security-advisories@github.com", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}