CVE-2025-64430: Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server’s file storage as the server crashes upon receiving the response.
References
- github.com/advisories/GHSA-x4qj-2f4q-r4rx
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
- github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585
- github.com/parse-community/parse-server/pull/9903
- github.com/parse-community/parse-server/pull/9904
- github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx
- nvd.nist.gov/vuln/detail/CVE-2025-64430
Code Behaviors & Features
Detect and mitigate CVE-2025-64430 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →