CVE-2025-67727

EPSS 0.36%
Veröffentlicht 12.12.2025 06:35:52
Zuletzt bearbeitet 22.12.2025 18:59:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management

Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0-alpha.2 and commits 6b9f896 and e3d27fe.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version <= 8.5.0

Parseplatform ≫ Parse-server Version8.6.0 Updatealpha1 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.276

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/parse-community/parse-server/security/advisories/GHSA-6w8g-mgvv-3fcj

Vendor Advisory

https://github.com/parse-community/parse-server/commit/6b9f8963cc3debf59cd9c5dfc5422aff9404ce9d

Patch

https://github.com/parse-community/parse-server/commit/e3d27fea08c8d8bdd9770a689bc2d757cda48b66

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-67727

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-67727

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-67727

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-67727