CVE-2025-64430

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Parse Server versions 4.2.0 through 7.5.3 Parse Server versions 8.0.0 through 8.3.1-alpha.1

Description Parse Server is an open source backend deployable on Node.js infrastructures. A Server-Side Request Forgery (SSRF) exists in the file upload functionality when handling Parse.File uploads with a uri parameter. This allows for the execution of an arbitrary URI. The issue arises because Parse Server retrieves file data from a provided URI, executing a request to it, but failing to store the response, leading to a server crash.

Recommendations Parse Server versions prior to 7.5.4 Parse Server versions prior to 8.4.0-alpha.1

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

BIT-PARSE-2025-64430

CVE-2025-64430

GHSA-X4QJ-2F4Q-R4RX

Affected Products

Parse Server

CVE-2025-64430

Weakness Enumeration

Related Identifiers

Affected Products

References · 18