Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Parse-SDK-JS by parse-community

    CVE-2025-62374 (GCVE-0-2025-62374)

    Vulnerability from nvd – Published: 2025-10-14 20:06 – Updated: 2025-10-14 20:29
    VLAI
    Title
    Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
    Summary
    Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    Assigner
    Impacted products
    Vendor Product Version
    parse-community Parse-SDK-JS Affected: < 7.0.0-alpha.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62374",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T20:28:45.889503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T20:29:30.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Parse-SDK-JS",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 7.0.0-alpha.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code.  ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T20:06:43.697Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3"
            },
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/pull/2749",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/pull/2749"
            },
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132"
            },
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1"
            }
          ],
          "source": {
            "advisory": "GHSA-9f2h-7v79-mxw3",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62374",
        "datePublished": "2025-10-14T20:06:43.697Z",
        "dateReserved": "2025-10-10T14:22:48.204Z",
        "dateUpdated": "2025-10-14T20:29:30.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-62374 (GCVE-0-2025-62374)

    Vulnerability from cvelistv5 – Published: 2025-10-14 20:06 – Updated: 2025-10-14 20:29
    VLAI
    Title
    Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
    Summary
    Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    Assigner
    Impacted products
    Vendor Product Version
    parse-community Parse-SDK-JS Affected: < 7.0.0-alpha.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62374",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T20:28:45.889503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T20:29:30.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Parse-SDK-JS",
              "vendor": "parse-community",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 7.0.0-alpha.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code.  ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T20:06:43.697Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3"
            },
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/pull/2749",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/pull/2749"
            },
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132"
            },
            {
              "name": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1"
            }
          ],
          "source": {
            "advisory": "GHSA-9f2h-7v79-mxw3",
            "discovery": "UNKNOWN"
          },
          "title": "Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62374",
        "datePublished": "2025-10-14T20:06:43.697Z",
        "dateReserved": "2025-10-10T14:22:48.204Z",
        "dateUpdated": "2025-10-14T20:29:30.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }