CVE-2026-33539
EPSS 0.02%Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
描述
### Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. ### Patches Field names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter. ### Workarounds No workaround. Upgrade to a patched version.
受影響套件(2)
- Bitnami/parsefrom 0, < 8.6.59, >= 9.0.0, < 9.6.0
- npm/parse-server>= 9.0.0, < 9.6.0-alpha.53
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33539
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c
- WEBhttps://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e
- WEBhttps://github.com/parse-community/parse-server/pull/10272
- WEBhttps://github.com/parse-community/parse-server/pull/10273
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3