CVE-2025-64430

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter, allowing execution of an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response. This issue is fixed in versions 7.5.4 and 8.4.0-alpha.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585
https://github.com/parse-community/parse-server/pull/9903
https://github.com/parse-community/parse-server/pull/9904
https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx

Configurations

No configuration.

History

07 Nov 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-07 18:15

Updated : 2025-11-12 16:20

NVD link : CVE-2025-64430

Mitre link : CVE-2025-64430

CVE.ORG link : CVE-2025-64430

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

7.5 /10