Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and...

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

Description

Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.

Basic Information

ID CVE-2025-62374

Source GitHub_M

Published Oct 14, 2025 at 20:06

Affected Product

Vendor parse-community

Product Parse-SDK-JS

Version < 7.0.0-alpha.1

Affected Versions parse-community Parse-SDK-JS < 7.0.0-alpha.1

CWE Classification

CWE-1321

References

{
    "lastseen": "",
    "description": "Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code.  ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.",
    "published": "2025-10-14T20:06:43.697Z",
    "modified": "2025-10-14T20:06:43.697Z",
    "type": "cve",
    "title": "Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs",
    "source": "GitHub_M",
    "references": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3\nhttps://github.com/parse-community/Parse-SDK-JS/pull/2749\nhttps://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132\nhttps://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1",
    "id": "CVE-2025-62374",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "parse-community Parse-SDK-JS < 7.0.0-alpha.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Parse-SDK-JS",
    "version": "< 7.0.0-alpha.1",
    "vendor": "parse-community",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs_CVE-2025-62374