CVE-2021-47987— Parse Server - Arbitrary Code Execution via Malicious Version Tags
Possible ATT&CK Techniques 1AI
T1195.002 · Compromise Software Supply ChainGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-47987
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Server - Arbitrary Code Execution via Malicious Version Tags
Source: NVD (National Vulnerability Database)
Vulnerability Description
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
下载代码缺少完整性检查
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| parse-community | parse-server | 0 ~ 4.10.0 | - |
II. Public POCs for CVE-2021-47987
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-47987
请登录查看更多情报信息。
Vendor Advisories for CVE-2021-47987 (1)
Other References for CVE-2021-47987 (1)
IV. Related Vulnerabilities
Same product: parse-server
- CVE-2021-47986
Parse Server - Unreviewed Code Execution via Malicious Versi - CVE-2026-53726
Parse Server: Relation `$relatedTo` query bypasses `protecte - CVE-2026-53725
Parse Server: Endpoints `/login` and `/verifyPassword` discl - CVE-2026-53724
Parse Server: Stored XSS via trailing-dot filename bypassing - CVE-2026-50008
Parse Server: Server option routeAllowList is bypassable thr
Same vendor: parse-community
- CVE-2021-47986
Parse Server - Unreviewed Code Execution via Malicious Versi - CVE-2026-53726
Parse Server: Relation `$relatedTo` query bypasses `protecte - CVE-2026-53725
Parse Server: Endpoints `/login` and `/verifyPassword` discl - CVE-2026-53724
Parse Server: Stored XSS via trailing-dot filename bypassing - CVE-2026-50008
Parse Server: Server option routeAllowList is bypassable thr
Same weakness: CWE-494
- CVE-2021-47986
Parse Server - Unreviewed Code Execution via Malicious Versi - CVE-2026-9037
Download of code without integrity check in XCharge C6 - CVE-2026-9089
ConnectWise Automate Agent 安全漏洞 - CVE-2026-42249
Remote Code Execution in Ollama via Update Mechanism - CVE-2026-42248
Missing Signature Verification for Updates in Ollama
V. Comments for CVE-2021-47987
No comments yet