CVE-2025-30168
📋 TL;DR
Parse Server versions before 7.5.2 and 8.0.2 have an authentication vulnerability where third-party authentication provider credentials can be reused across unrelated Parse Server applications. This allows attackers to authenticate as users in one application using credentials from another application. Only applications using affected third-party authentication providers are impacted.
💻 Affected Systems
- Parse Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to user accounts across multiple Parse Server applications, potentially compromising sensitive data and performing unauthorized actions.
Likely Case
Credential reuse across applications allows attackers to impersonate users in unrelated systems, leading to account takeover and data exposure.
If Mitigated
With proper authentication controls and isolation, impact is limited to credential reuse detection and minor authentication anomalies.
🎯 Exploit Status
Exploitation requires knowledge of affected third-party authentication provider configurations and access to credential data from one application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.2 and 8.0.2
Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories
Restart Required: Yes
Instructions:
1. Upgrade Parse Server to version 7.5.2 or 8.0.2 or later. 2. Update client applications to send secure authentication payloads. 3. Restart Parse Server instances. 4. Test authentication flows with affected third-party providers.
🔧 Temporary Workarounds
Disable affected third-party authentication
allTemporarily disable third-party authentication providers that are affected until patching is complete
Modify Parse Server configuration to remove or comment out affected auth providers in the auth option
🧯 If You Can't Patch
- Implement additional authentication validation layers to detect credential reuse across applications
- Monitor authentication logs for unusual patterns of credential usage from multiple application sources
🔍 How to Verify
Check if Vulnerable:
Check Parse Server version and verify if third-party authentication providers are configured. Versions before 7.5.2/8.0.2 with third-party auth are vulnerable.Check Version:
npm list parse-server | grep parse-serverVerify Fix Applied:
Verify Parse Server version is 7.5.2 or 8.0.2 or later, and test that authentication credentials cannot be reused across applications.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts using credentials from different application sources
- Multiple successful authentications from same credentials across different applications
Network Indicators:
- Unusual authentication request patterns to third-party providers from multiple application endpoints
SIEM Query:
source="parse-server" AND (event="authentication" OR event="auth") AND (credential_reuse OR cross_application_auth)🔗 References
- https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication
- https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e
- https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f
- https://github.com/parse-community/parse-server/pull/9667
- https://github.com/parse-community/parse-server/pull/9668
- https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv
