Main Vulnerability Database SB2025110554

SB2025110554 - Denial of service via SSRF in Parse Server

Published: November 5, 2025

Security Bulletin ID SB2025110554

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-64430)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in the file upload functionality when trying to upload a Parse.File with uri parameter. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary URI. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx