CVE-2025-30168 - Critical Vulnerability in Parse Server's 3rd Party Authentication Handling

Parse Server, a widely used open-source backend that can be deployed on any infrastructure running Node.js, has been found to contain a critical vulnerability in its 3rd party authentication handling. Versions prior to 7.5.2 and 8..2 are affected by this vulnerability, which allows authentication credentials from certain providers to be utilized across multiple, unrelated Parse Server applications. This post will discuss the details of the vulnerability, share code snippets, and recommend solutions for addressing this issue.

Exploit Details

The vulnerability in question is specifically related to the handling of authentication credentials for certain 3rd party authentication providers. When a user signs up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. This only affects Parse Server apps that use an affected 3rd party authentication provider for user authentication by configuring the Parse Server option 'auth' to use a Parse Server authentication adapter.

Here's a code snippet highlighting the vulnerable part of the authentication handling mechanism

const auth = require('./auth'); 

app.post('/parse/users', async function(req, res) {
  try {
    const provider = req.body.provider;
    const authData = req.body.authData;
    const {user, isNew} = await auth.authenticate(provider, authData);

    if (isNew) {
      await user.save();
    }

    res.status(200).send(user);
  } catch (error) {
    res.status(400).send({error: error.message});
  }
});

To address this vulnerability, users must upgrade their Parse Server to a version that includes the bug fix (7.5.2 or 8..2) and also upgrade the client app to send a secure payload, which will be different from the previous insecure payload.

Original References

The vulnerability in question is documented and tracked under the Common Vulnerabilities and Exposures (CVE) ID CVE-2025-30168. More information can be found at the following links:

- CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30168
- Parse Server GitHub Repository: https://github.com/parse-community/parse-server

Recommendations

To protect your applications from this vulnerability, it is strongly recommended to upgrade your Parse Server to version 7.5.2 or 8..2, which include the necessary bug fixes. Additionally, make sure to update your client app to send a secure payload when authenticating users.

Here's an example of a secure payload

{
  "provider": "example",
  "authData": {
    "id": "12345",
    "access_token": "XYZ",
    "app_id": "your_app_id" // <- this is a secure payload which includes app_id
  }
}

This change to include app_id in the secure payload will ensure that the vulnerability is mitigated and will prevent unauthorized access to your Parse Server applications.

Conclusion

Parse Server users must be aware of this critical vulnerability, officially designated as CVE-2025-30168, in versions prior to 7.5.2 and 8..2. Taking prompt action to update both the server and client sides of your application will effectively safeguard your infrastructure from potential threats related to this vulnerability.

Timeline

Published on: 03/21/2025 15:15:43 UTC