CVE-2025-62374 | THREATINT

Description

Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.

PUBLISHED Reserved 2025-10-10 | Published 2025-10-14 | Updated 2025-10-14 | Assigner GitHub_M

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

< 7.0.0-alpha.1

affected

References

github.com/...SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3

github.com/parse-community/Parse-SDK-JS/pull/2749

github.com/...ommit/00973987f361368659c0c4dbf669f3897520b132

github.com/...munity/Parse-SDK-JS/releases/tag/7.0.0-alpha.1

cve.org (CVE-2025-62374)

nvd.nist.gov (CVE-2025-62374)

Download JSON