Platform
nodejs
Component
parse-server
Fixed in
7.5.3
8.0.1
7.5.2
CVE-2025-30168 affects Parse Server, an open-source backend for mobile apps. This vulnerability arises from how Parse Server handles authentication with third-party providers. An attacker could potentially leverage credentials from one Parse Server application to authenticate users in another, unrelated application, leading to unauthorized access and data compromise. The vulnerability is resolved in version 7.5.2 and users are strongly advised to upgrade.
The core impact of CVE-2025-30168 lies in the potential for credential sharing across Parse Server applications. Imagine a scenario where a user authenticates with Google in both App A and App B, both using Parse Server. Prior to 7.5.2, the authentication credentials stored by App A could be exploited to authenticate the same user in App B, bypassing App B's intended security measures. This is particularly concerning in multi-tenant environments where multiple applications share the same Parse Server instance. The blast radius extends to any data accessible within the target application, including user profiles, application data, and potentially sensitive information. While the vulnerability is tied to specific third-party authentication providers, the potential for cross-application access represents a significant security risk.
CVE-2025-30168 was published on March 21, 2025. Its severity is rated as MEDIUM (CVSS 6.9). There is no indication of this vulnerability being actively exploited in the wild at this time. Public proof-of-concept (POC) code is currently unavailable. The EPSS score is pending evaluation, but given the lack of public exploitation and available POCs, the probability of exploitation is considered low to medium. Refer to the NVD (National Vulnerability Database) for updates and further information.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30168 is upgrading Parse Server to version 7.5.2 or later. This version includes the necessary fixes to prevent credential sharing. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter access controls within each Parse Server application to limit the potential impact of a compromised credential. Review and audit your authentication provider configurations to ensure they adhere to best practices. While a direct WAF rule is unlikely, monitoring authentication logs for unusual patterns (e.g., authentication attempts from unexpected applications) can provide early detection. A Sigma rule could be developed to detect suspicious authentication patterns, focusing on user IDs appearing across multiple applications within a short timeframe. After upgrading, verify the fix by attempting authentication with a user account across multiple Parse Server applications and confirming that the credentials are not shared.
Actualice Parse Server a la versión 7.5.2 o superior, o a la versión 8.0.2 o superior. Además, actualice la aplicación cliente para enviar una carga útil segura, ya que la carga útil anterior es vulnerable. Esto solucionará la vulnerabilidad de autenticación OAuth.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability in Parse Server that allows authentication credentials from third-party providers to be shared between different Parse Server applications, potentially granting unauthorized access.
You are affected if you are using Parse Server versions prior to 7.5.2 and utilize third-party authentication providers for user authentication.
Upgrade Parse Server to version 7.5.2 or later to resolve the vulnerability. If immediate upgrade is not possible, implement stricter access controls.
Currently, there is no public evidence of CVE-2025-30168 being actively exploited in the wild.
Refer to the Parse Server documentation and the NVD (National Vulnerability Database) for detailed information and updates: https://nvd.nist.gov/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.