Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Parse-SDK-JS by parse-community
CVE-2025-62374 (GCVE-0-2025-62374)
Vulnerability from nvd – Published: 2025-10-14 20:06 – Updated: 2025-10-14 20:29
VLAI
EPSS
VEX
Title
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
Summary
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/parse-community/Parse-SDK-JS/s… | x_refsource_CONFIRM |
| https://github.com/parse-community/Parse-SDK-JS/p… | x_refsource_MISC |
| https://github.com/parse-community/Parse-SDK-JS/c… | x_refsource_MISC |
| https://github.com/parse-community/Parse-SDK-JS/r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| parse-community | Parse-SDK-JS |
Affected:
< 7.0.0-alpha.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:28:45.889503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:29:30.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Parse-SDK-JS",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:06:43.697Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/pull/2749",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/pull/2749"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1"
}
],
"source": {
"advisory": "GHSA-9f2h-7v79-mxw3",
"discovery": "UNKNOWN"
},
"title": "Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62374",
"datePublished": "2025-10-14T20:06:43.697Z",
"dateReserved": "2025-10-10T14:22:48.204Z",
"dateUpdated": "2025-10-14T20:29:30.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62374 (GCVE-0-2025-62374)
Vulnerability from cvelistv5 – Published: 2025-10-14 20:06 – Updated: 2025-10-14 20:29
VLAI
EPSS
VEX
Title
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
Summary
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/parse-community/Parse-SDK-JS/s… | x_refsource_CONFIRM |
| https://github.com/parse-community/Parse-SDK-JS/p… | x_refsource_MISC |
| https://github.com/parse-community/Parse-SDK-JS/c… | x_refsource_MISC |
| https://github.com/parse-community/Parse-SDK-JS/r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| parse-community | Parse-SDK-JS |
Affected:
< 7.0.0-alpha.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:28:45.889503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:29:30.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Parse-SDK-JS",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:06:43.697Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/pull/2749",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/pull/2749"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1"
}
],
"source": {
"advisory": "GHSA-9f2h-7v79-mxw3",
"discovery": "UNKNOWN"
},
"title": "Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62374",
"datePublished": "2025-10-14T20:06:43.697Z",
"dateReserved": "2025-10-10T14:22:48.204Z",
"dateUpdated": "2025-10-14T20:29:30.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}