Reflected Cross-Site Scripting in Parse Server by Parse Community
CVE-2025-68115

5.3MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
16 December 2025

What is CVE-2025-68115?

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Parse Server, an open-source backend that operates on Node.js. This issue arises in the password reset and email verification HTML pages of the software, where user-controlled values are not properly escaped, making it possible for attackers to inject malicious scripts into these pages. Versions prior to 8.6.1 and 9.1.0-alpha.3 are affected. Patches that rectify this vulnerability have been released in the updated versions, ensuring that any user input is appropriately sanitized before rendering within the HTML context. No alternative workarounds are available for mitigating this vulnerability.

Affected Version(s)

parse-server < 8.6.1 < 8.6.1

parse-server >= 9.0.0, < 9.1.0-alpha.3 < 9.0.0, 9.1.0-alpha.3

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/9985
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/9986
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68115 : Reflected Cross-Site Scripting in Parse Server by Parse Community