SB2025032199 - Improper access control in parse-server

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2025-30168)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to authenticate across multiple Parse Server apps.

The vulnerability exists due to improper access control in 3rd party authentication handling when processing authentication credentials from affected authentication providers. A remote user can use credentials stored by one app to authenticate the same user in another app to authenticate across multiple Parse Server apps.

Only Parse Server apps that use an affected 3rd party authentication provider for user authentication are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv
• https://github.com/parse-community/parse-server/pull/9668