VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-aj2x-xafd-vfh8

Essentials
Severities (29)
References (11)
Severity details (27)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-aj2x-xafd-vfh8
Aliases	CVE-2022-36079 GHSA-2m6g-crv8-p3c6
Summary	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00595	https://api.first.org/data/v1/epss?cve=CVE-2022-36079
epss	0.00595	https://api.first.org/data/v1/epss?cve=CVE-2022-36079
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-2m6g-crv8-p3c6
cvssv3.1	8.6	https://github.com/parse-community/parse-server
generic_textual	HIGH	https://github.com/parse-community/parse-server
cvssv3.1	8.6	https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec
ssvc	Track	https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec
cvssv3.1	8.6	https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4
ssvc	Track	https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4
cvssv3.1	8.6	https://github.com/parse-community/parse-server/issues/8143
generic_textual	HIGH	https://github.com/parse-community/parse-server/issues/8143
ssvc	Track	https://github.com/parse-community/parse-server/issues/8143
cvssv3.1	8.6	https://github.com/parse-community/parse-server/issues/8144
generic_textual	HIGH	https://github.com/parse-community/parse-server/issues/8144
ssvc	Track	https://github.com/parse-community/parse-server/issues/8144
cvssv3.1	8.6	https://github.com/parse-community/parse-server/releases/tag/4.10.14
generic_textual	HIGH	https://github.com/parse-community/parse-server/releases/tag/4.10.14
ssvc	Track	https://github.com/parse-community/parse-server/releases/tag/4.10.14
cvssv3.1	8.6	https://github.com/parse-community/parse-server/releases/tag/5.2.5
generic_textual	HIGH	https://github.com/parse-community/parse-server/releases/tag/5.2.5
ssvc	Track	https://github.com/parse-community/parse-server/releases/tag/5.2.5
cvssv3.1	8.6	https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6
cvssv3.1_qr	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6
generic_textual	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6
ssvc	Track	https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6
cvssv3.1	8.6	https://nvd.nist.gov/vuln/detail/CVE-2022-36079
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-36079

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-36079
		https://github.com/parse-community/parse-server
4.10.14		https://github.com/parse-community/parse-server/releases/tag/4.10.14
5.2.5		https://github.com/parse-community/parse-server/releases/tag/5.2.5
634c44acd18f6ee6ec60fac89a2b602d92799bec		https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec
8143		https://github.com/parse-community/parse-server/issues/8143
8144		https://github.com/parse-community/parse-server/issues/8144
CVE-2022-36079		https://nvd.nist.gov/vuln/detail/CVE-2022-36079
e39d51bd329cd978589983bd659db46e1d45aad4		https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4
GHSA-2m6g-crv8-p3c6		https://github.com/advisories/GHSA-2m6g-crv8-p3c6
GHSA-2m6g-crv8-p3c6		https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:01Z/ Found at https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:01Z/ Found at https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server/issues/8143

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:01Z/ Found at https://github.com/parse-community/parse-server/issues/8143

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server/issues/8144

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:01Z/ Found at https://github.com/parse-community/parse-server/issues/8144

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server/releases/tag/4.10.14

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:01Z/ Found at https://github.com/parse-community/parse-server/releases/tag/4.10.14

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server/releases/tag/5.2.5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:01Z/ Found at https://github.com/parse-community/parse-server/releases/tag/5.2.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:52:01Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36079

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.69804
EPSS Score	0.00595
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:38:03.846207+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2022/36xxx/CVE-2022-36079.json	38.6.0