Authentication Credential Vulnerability in Parse Server by Parse Community
CVE-2025-30168

6.9MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
21 March 2025

What is CVE-2025-30168?

Parse Server is an open-source backend platform that enables developers to build and deploy applications on any Node.js-compatible infrastructure. A vulnerability allows certain 3rd party authentication credentials to be reused across different Parse Server applications. This means that if a user signs up using the same authentication provider in two distinct apps, their credentials can be misused, permitting unauthorized access to user accounts across these applications. This issue primarily impacts those using specific 3rd party authentication adapters configured in Parse Server. To mitigate this risk, it is crucial to upgrade to Parse Server version 7.5.2 or later and ensure client apps send a secure payload, distinguishing it from previously insecure configurations.

Affected Version(s)

parse-server < 7.5.2 < 7.5.2

parse-server >= 8.0.0 ,< 8.0.2 < 8.0.0 , 8.0.2

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/9667
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/9668
x_refsource_MISC

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.