VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-5cyt-1hbn-pkgb

Essentials
Severities (24)
References (9)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5cyt-1hbn-pkgb
Aliases	CVE-2025-64430 GHSA-x4qj-2f4q-r4rx
Summary	Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-918	Server-Side Request Forgery (SSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00073	https://api.first.org/data/v1/epss?cve=CVE-2025-64430
epss	0.00073	https://api.first.org/data/v1/epss?cve=CVE-2025-64430
epss	0.00073	https://api.first.org/data/v1/epss?cve=CVE-2025-64430
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-x4qj-2f4q-r4rx
cvssv3.1	7.5	https://github.com/parse-community/parse-server
generic_textual	HIGH	https://github.com/parse-community/parse-server
cvssv3.1	7.5	https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
ssvc	Track	https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
cvssv3.1	7.5	https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585
generic_textual	HIGH	https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585
ssvc	Track	https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585
cvssv3.1	7.5	https://github.com/parse-community/parse-server/pull/9903
generic_textual	HIGH	https://github.com/parse-community/parse-server/pull/9903
ssvc	Track	https://github.com/parse-community/parse-server/pull/9903
cvssv3.1	7.5	https://github.com/parse-community/parse-server/pull/9904
generic_textual	HIGH	https://github.com/parse-community/parse-server/pull/9904
ssvc	Track	https://github.com/parse-community/parse-server/pull/9904
cvssv3.1	7.5	https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx
cvssv3.1_qr	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx
generic_textual	HIGH	https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx
ssvc	Track	https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-64430
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-64430

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-64430
		https://github.com/parse-community/parse-server
		https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
		https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585
		https://github.com/parse-community/parse-server/pull/9903
		https://github.com/parse-community/parse-server/pull/9904
CVE-2025-64430		https://nvd.nist.gov/vuln/detail/CVE-2025-64430
GHSA-x4qj-2f4q-r4rx		https://github.com/advisories/GHSA-x4qj-2f4q-r4rx
GHSA-x4qj-2f4q-r4rx		https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/parse-community/parse-server

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/ Found at https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/ Found at https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/parse-community/parse-server/pull/9903

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/ Found at https://github.com/parse-community/parse-server/pull/9903

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/parse-community/parse-server/pull/9904

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/ Found at https://github.com/parse-community/parse-server/pull/9904

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-64430

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.22304
EPSS Score	0.00073
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:48:25.297104+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2025-64430.yml	38.6.0