CVE-2025-64430
HIGH7.5EPSS 0.07%Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
描述
### Impact A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response. ### Patches The feature has been implemented in Parse Server 4.2.0 but never worked and reliably crashes the server when trying to use it due to a bug in its implementation. Since the feature is not currently working, and due to its risky nature, it has been removed to address the vulnerability. ### Workarounds None.
受影響套件(2)
- Bitnami/parse>= 4.2.0, < 7.5.4, >= 8.0.0, < 8.4.0
- npm/parse-server>= 4.2.0, < 7.5.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-64430
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
- WEBhttps://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585
- WEBhttps://github.com/parse-community/parse-server/pull/9903
- WEBhttps://github.com/parse-community/parse-server/pull/9904
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx