CVE-2025-68115
📋 TL;DR
Parse Server versions before 8.6.1 and 9.1.0-alpha.3 contain a reflected cross-site scripting (XSS) vulnerability in password reset and email verification pages. Attackers can inject malicious scripts that execute in users' browsers when they click specially crafted links. All Parse Server deployments using affected versions with password reset or email verification enabled are vulnerable.
💻 Affected Systems
- Parse Server
📦 What is this software?
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal user session cookies, credentials, or perform actions on behalf of authenticated users, potentially leading to account takeover and data theft.
Likely Case
Attackers craft phishing emails with malicious links to password reset pages, executing scripts in victims' browsers to steal session tokens or credentials.
If Mitigated
With proper input validation and output encoding, malicious scripts are rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious links) but doesn't require authentication. The vulnerability is in publicly accessible password reset/verification pages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.6.1 or 9.1.0-alpha.3
Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv
Restart Required: Yes
Instructions:
1. Update Parse Server to version 8.6.1 or 9.1.0-alpha.3 using npm: 'npm update parse-server' 2. Restart the Parse Server application 3. Verify the update completed successfully
🔧 Temporary Workarounds
Disable password reset and email verification
allTemporarily disable vulnerable features until patching is possible
Set 'verifyUserEmails' and 'enablePasswordReset' to false in Parse Server configuration
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Add Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check Parse Server version in package.json or via 'npm list parse-server'. If version is below 8.6.1 (excluding 9.1.0-alpha.3), the system is vulnerable.Check Version:
npm list parse-server | grep parse-serverVerify Fix Applied:
After updating, verify the version is 8.6.1 or higher (or 9.1.0-alpha.3). Test password reset and email verification pages with XSS payloads to confirm they're properly escaped.📡 Detection & Monitoring
Log Indicators:
- Unusual parameters in password reset/verification URLs containing script tags or JavaScript
- Multiple failed password reset attempts from same IP
Network Indicators:
- HTTP requests to password reset endpoints with encoded script payloads in query parameters
SIEM Query:
source="parse-server" AND (url="*/requestPasswordReset*" OR url="*/verifyEmail*") AND (param="*<script>*" OR param="*javascript:*")