6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30168

GHSA ID

GHSA-837q-jhwx-cmpv

EPSS Score

0.31165%

CWE

CWE-287

Published

3/21/2025

Updated

3/21/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30168

CVE-2025-30168: Parse Server has an OAuth login vulnerability

Impact

The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. See the 3rd party authentication docs for more information on which authentication providers are affected.

Patches

The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. To accommodate a gradual rollout of the client app update, affected Parse Server authentication adapters now offer an enableInsecureAuth option to accept both insecure and secure payloads from clients apps. See the 3rd party authentication docs for how to migrate from insecure to secure authentication.

Workarounds

None.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv
Parse Server documentation for 3rd party authentication providers: https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication
Bug fix in Parse Server 7: https://github.com/parse-community/parse-server/pull/9668
Bug fix in Parse Server 8: https://github.com/parse-community/parse-server/pull/9667

(GitHub Advisory)

6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30168

GHSA ID

GHSA-837q-jhwx-cmpv

EPSS Score

0.31165%

CWE

CWE-287

Published

3/21/2025

Updated

3/21/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm
parse-server	npm

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from authentication adapters allowing both secure (code-based) and insecure (token-based) authentication flows. The insecure flow (enableInsecureAuth) didn't properly bind credentials to specific apps through client_id/client_secret validation, allowing credentials from one app to work in another. The BaseAuthCodeAdapter's beforeFind method is the primary point where insecure authentication was permitted. Specific adapters like GitHub and Google Play Games inherited this vulnerable behavior. The patches introduced strict code validation and made enableInsecureAuth opt-in to prevent cross-app credential reuse.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *r* p*rty *ut**nti**tion **n*lin* o* P*rs* S*rv*r *llows t** *ut**nti**tion *r***nti*ls o* som* sp**i*i* *ut**nti**tion provi**rs to ** us** **ross multipl* P*rs* S*rv*r *pps. *or *x*mpl*, i* * us*r si*n** up usin* t** s*m* *ut**nti**

Reasoning

T** vuln*r**ility st*mm** *rom *ut**nti**tion ***pt*rs *llowin* *ot* s**ur* (*o**-**s**) *n* ins**ur* (tok*n-**s**) *ut**nti**tion *lows. T** ins**ur* *low (*n**l*Ins**ur**ut*) *i*n't prop*rly *in* *r***nti*ls to sp**i*i* *pps t*rou** *li*nt_i*/*li*n

6.9

Basic Information

Concerned about an active attack path?

CVE-2025-30168: Parse Server has an OAuth login vulnerability

Impact

Patches

Workarounds

References

6.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI