GitHub Actions Elevated Permissions Vulnerability in Parse Server
CVE-2025-67727

6.9MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
12 December 2025

What is CVE-2025-67727?

In Parse Server versions before 8.6.0-alpha.2, a security vulnerability exists that allows GitHub Actions workflows to acquire elevated permissions. This flaw affects the CI/CD infrastructure of the repository, potentially granting access to sensitive GitHub secrets and write permissions defined in the workflow. Such an issue can lead to the unintended execution of code from forks or lifecycle scripts. Public GitHub forks with GitHub Actions enabled are particularly at risk. The vulnerability has been addressed in version 8.6.0-alpha.2 and associated commits.

Affected Version(s)

parse-server < 8.6.0-alpha.2

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/commit/6b...
x_refsource_MISC
https://github.com/parse-community/parse-server/commit/e3...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67727 : GitHub Actions Elevated Permissions Vulnerability in Parse Server