CVE-2025-67727

Dec. 22, 2025, 6:59 p.m.

6.9
Medium

Description

Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0-alpha.2 and commits 6b9f896 and e3d27fe.

Product(s) Impacted

Vendor Product Versions
Parseplatform
  • Parse-server
  • *, 8.6.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a parseplatform parse-server / / / / / node.js / /
a parseplatform parse-server 8.6.0 alpha1 / / / node.js / /

References

https://github.com/parse-community/parse-server/commit/6b9f8963cc3debf59cd9c5dfc5422aff9404ce9d
https://github.com/parse-community/parse-server/commit/e3d27fea08c8d8bdd9770a689bc2d757cda48b66
https://github.com/parse-community/parse-server/security/advisories/GHSA-6w8g-mgvv-3fcj

Tags

security-advisories@github.com
2025-12-12
CVE-2025-67727

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Dec. 12, 2025, 7:15 a.m.
Last Modified: Dec. 22, 2025, 6:59 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.