CVE-2025-30168 (GCVE-0-2025-30168)
Vulnerability from cvelistv5
Published
2025-03-21 14:54
Modified
2025-03-21 15:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| parse-community | parse-server |
Version: < 7.5.2 Version: >= 8.0.0 ,< 8.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T15:12:30.748285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T15:12:37.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003c 7.5.2"
},
{
"status": "affected",
"version": "\u003e= 8.0.0 ,\u003c 8.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T14:54:22.369Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9667",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9667"
},
{
"name": "https://github.com/parse-community/parse-server/pull/9668",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/pull/9668"
},
{
"name": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e"
},
{
"name": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f"
},
{
"name": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication"
}
],
"source": {
"advisory": "GHSA-837q-jhwx-cmpv",
"discovery": "UNKNOWN"
},
"title": "Parse Server has an OAuth login vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30168",
"datePublished": "2025-03-21T14:54:22.369Z",
"dateReserved": "2025-03-17T12:41:42.569Z",
"dateUpdated": "2025-03-21T15:12:37.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-30168\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-21T15:15:43.440\",\"lastModified\":\"2025-03-21T15:15:43.440\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2.\"},{\"lang\":\"es\",\"value\":\"Parse Server es un backend de c\u00f3digo abierto que puede implementarse en cualquier infraestructura que ejecute Node.js. En versiones anteriores a la 7.5.2 y la 8.0.2, la gesti\u00f3n de la autenticaci\u00f3n de terceros de Parse Server permit\u00eda usar las credenciales de algunos proveedores de autenticaci\u00f3n espec\u00edficos en varias aplicaciones de Parse Server. Por ejemplo, si un usuario se registraba con el mismo proveedor de autenticaci\u00f3n en dos aplicaciones de Parse Server independientes, las credenciales almacenadas por una aplicaci\u00f3n pod\u00edan usarse para autenticar al mismo usuario en la otra. Tenga en cuenta que esto solo afecta a las aplicaciones de Parse Server que utilizan espec\u00edficamente un proveedor de autenticaci\u00f3n de terceros afectado para la autenticaci\u00f3n de usuarios, por ejemplo, configurando la opci\u00f3n \\\"auth\\\" de Parse Server para configurar un adaptador de autenticaci\u00f3n de Parse Server. Para corregir esta vulnerabilidad, es necesario actualizar Parse Server a una versi\u00f3n que incluya la correcci\u00f3n del error, as\u00ed como actualizar la aplicaci\u00f3n cliente para que env\u00ede un payload seguro, diferente del payload inseguro anterior. Esta vulnerabilidad se corrigi\u00f3 en las versiones 7.5.2 y 8.0.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/parse-community/parse-server/pull/9667\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/parse-community/parse-server/pull/9668\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-30168\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-21T15:12:30.748285Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-21T15:12:33.996Z\"}}], \"cna\": {\"title\": \"Parse Server has an OAuth login vulnerability\", \"source\": {\"advisory\": \"GHSA-837q-jhwx-cmpv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"parse-community\", \"product\": \"parse-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.5.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 8.0.0 ,\u003c 8.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv\", \"name\": \"https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/parse-community/parse-server/pull/9667\", \"name\": \"https://github.com/parse-community/parse-server/pull/9667\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/pull/9668\", \"name\": \"https://github.com/parse-community/parse-server/pull/9668\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e\", \"name\": \"https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f\", \"name\": \"https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication\", \"name\": \"https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-21T14:54:22.369Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-30168\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-21T15:12:37.719Z\", \"dateReserved\": \"2025-03-17T12:41:42.569Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-21T14:54:22.369Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…