Plataforma
nodejs
Componente
parse-server
Corregido en
4.2.1
8.0.1
7.5.4
CVE-2025-64430 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Parse Server's file upload functionality. This flaw allows attackers to trigger requests to arbitrary URIs, potentially exposing sensitive data or enabling unauthorized access. The vulnerability impacts Parse Server versions prior to 7.5.4, and a fix is available in version 7.5.4.
The SSRF vulnerability in Parse Server arises from the way it handles file uploads with a uri parameter. When a user attempts to upload a Parse.File specifying a URI, Parse Server attempts to retrieve the file data from that URI. Critically, the response from this external URI is not properly handled, causing the server to crash. While the server doesn't store the response, the attacker can still trigger requests to internal or external resources, potentially accessing sensitive data or interacting with other systems. This could lead to information disclosure, privilege escalation, or even remote code execution depending on the targeted URI and the server's configuration. The crash itself can also be used as a denial-of-service vector.
CVE-2025-64430 was publicly disclosed on 2025-11-05. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge.
Organizations using Parse Server for backend services, particularly those handling sensitive data or integrating with internal systems, are at risk. Deployments relying on file upload functionality and those with less stringent URI validation are especially vulnerable. Shared hosting environments using Parse Server may also be affected.
• nodejs / server: Monitor Parse Server logs for outbound requests to unexpected or unauthorized URIs. Use journalctl to filter for errors related to file uploads and URI processing.
journalctl -u parse-server --grep 'uri' --grep 'error'• generic web: Use curl or wget to check for exposed endpoints related to file uploads and observe the responses for signs of SSRF activity.
curl -v 'https://your-parse-server/files/upload?uri=http://internal-system/'disclosure
Estado del Exploit
EPSS
0.04% (11% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-64430 is to upgrade Parse Server to version 7.5.4 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to restrict the allowed URIs for file uploads, limiting them to trusted domains. Additionally, implement strict input validation to prevent attackers from injecting malicious URIs. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious URI patterns. Monitor Parse Server logs for unusual outbound requests that might indicate exploitation attempts.
Actualice Parse Server a la versión 7.5.4 o superior, o a la versión 8.4.0-alpha.1 o superior. Esto corrige la vulnerabilidad SSRF en la funcionalidad de carga de archivos. La actualización previene la ejecución de URIs arbitrarias durante la carga de archivos.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-64430 is a Server-Side Request Forgery (SSRF) vulnerability in Parse Server's file upload functionality, allowing attackers to trigger requests to arbitrary URIs.
You are affected if you are running Parse Server versions prior to 7.5.4 and utilize the file upload feature.
Upgrade Parse Server to version 7.5.4 or later to remediate the vulnerability. Implement temporary workarounds like restricting allowed URIs if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official Parse Server documentation and security advisories for updates and detailed information regarding CVE-2025-64430.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.