Improper access control in parse-server - CVE-2025-30168
Published: March 21, 2025 / Updated: May 23, 2026
Vulnerability identifier: #VU132202
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-30168
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: MeetFox
Affected software:
parse-server
parse-server
Detailed vulnerability description
The vulnerability allows a remote user to authenticate across multiple Parse Server apps.
The vulnerability exists due to improper access control in 3rd party authentication handling when processing authentication credentials from affected authentication providers. A remote user can use credentials stored by one app to authenticate the same user in another app to authenticate across multiple Parse Server apps.
Only Parse Server apps that use an affected 3rd party authentication provider for user authentication are vulnerable.
How to mitigate CVE-2025-30168
Install security update from vendor's website.