Search criteria
2 vulnerabilities found for Parse-SDK-JS by parse-community
CVE-2025-62374 (GCVE-0-2025-62374)
Vulnerability from cvelistv5 – Published: 2025-10-14 20:06 – Updated: 2025-10-14 20:29
VLAI?
Summary
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.
Severity ?
6.4 (Medium)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | Parse-SDK-JS |
Affected:
< 7.0.0-alpha.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:28:45.889503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:29:30.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Parse-SDK-JS",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:06:43.697Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/pull/2749",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/pull/2749"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1"
}
],
"source": {
"advisory": "GHSA-9f2h-7v79-mxw3",
"discovery": "UNKNOWN"
},
"title": "Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62374",
"datePublished": "2025-10-14T20:06:43.697Z",
"dateReserved": "2025-10-10T14:22:48.204Z",
"dateUpdated": "2025-10-14T20:29:30.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62374 (GCVE-0-2025-62374)
Vulnerability from nvd – Published: 2025-10-14 20:06 – Updated: 2025-10-14 20:29
VLAI?
Summary
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.
Severity ?
6.4 (Medium)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | Parse-SDK-JS |
Affected:
< 7.0.0-alpha.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T20:28:45.889503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:29:30.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Parse-SDK-JS",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T20:06:43.697Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/pull/2749",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/pull/2749"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132"
},
{
"name": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1"
}
],
"source": {
"advisory": "GHSA-9f2h-7v79-mxw3",
"discovery": "UNKNOWN"
},
"title": "Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62374",
"datePublished": "2025-10-14T20:06:43.697Z",
"dateReserved": "2025-10-10T14:22:48.204Z",
"dateUpdated": "2025-10-14T20:29:30.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}