Miggo Logo
Miggo Vulnerability Database
CVE-2025-62374

CVE-2025-62374: Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

6.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-62374
GHSA ID
GHSA-9f2h-7v79-mxw3
EPSS Score
-
CWE
CWE-1321
Published
10/14/2025
Updated
10/14/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
parsenpm< 7.0.07.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic prototype pollution issue in the Parse Javascript SDK. The root cause is the improper handling of object keys in several parts of the codebase, which allowed an attacker to modify the Object.prototype by using malicious keys like __proto__, constructor, or prototype.

The analysis of the patch commit 00973987f361368659c0c4dbf669f3897520b132 reveals that the fix involves two main strategies:

  1. Introducing a new function isDangerousKey to explicitly check for and block malicious keys.
  2. Changing the creation of internal objects from {} to Object.create(null) to prevent access to the Object.prototype.

The vulnerable functions were identified by locating where these fixes were applied. The core of the vulnerability lies in the internal decode, encode, and ObjectStateMutations modules, which were responsible for handling object data without proper validation. These internal vulnerabilities were then exposed through the public API of ParseObject, specifically in functions like fromJSON, registerSubclass, and pin, as stated in the security advisory.

The identified functions are the ones that would appear in a runtime profile when the vulnerability is triggered. An attacker would craft a malicious object and pass it to one of these functions, causing the prototype pollution to occur within the execution of that function.

Vulnerable functions

decode
src/decode.ts
The `decode` function recursively processed object properties without checking for dangerous keys like `__proto__`. This allowed an attacker to inject a malicious payload that would pollute the Object prototype when decoded.
encode
src/encode.ts
The `encode` function recursively processed object properties without checking for dangerous keys. This could lead to prototype pollution if a malicious object with a `__proto__` key was passed to it.
setServerData
src/ObjectStateMutations.ts
The `setServerData` function in `ObjectStateMutations` was vulnerable to prototype pollution because it iterated over attributes of an object and assigned them to `serverData` without checking for dangerous keys like `__proto__`.
setPendingOp
src/ObjectStateMutations.ts
The `setPendingOp` function in `ObjectStateMutations` did not validate the `attr` parameter, allowing a malicious attribute name to be set as a pending operation, leading to prototype pollution.
mergeFirstPendingState
src/ObjectStateMutations.ts
The `mergeFirstPendingState` function in `ObjectStateMutations` was vulnerable as it merged pending operations without checking for dangerous attribute names, which could lead to prototype pollution.
estimateAttribute
src/ObjectStateMutations.ts
The `estimateAttribute` function in `ObjectStateMutations` did not validate the `attr` parameter. A malicious attribute could be passed to access and potentially pollute the prototype chain.
estimateAttributes
src/ObjectStateMutations.ts
The `estimateAttributes` function in `ObjectStateMutations` iterated through pending operations without checking for dangerous keys, making it vulnerable to prototype pollution.
commitServerChanges
src/ObjectStateMutations.ts
The `commitServerChanges` function in `ObjectStateMutations` was vulnerable because it processed changes from the server without validating attribute names, allowing for prototype pollution.
ParseObject.registerSubclass
src/ParseObject.ts
The `ParseObject.registerSubclass` function used a plain JavaScript object (`{}`) as a map for class names. By registering a subclass with a class name like `__proto__`, an attacker could pollute the `Object.prototype`. The fix was to use `Object.create(null)` to create a dictionary-like object without a prototype.
ParseObject.fromJSON
src/ParseObject.ts
The `ParseObject.fromJSON` function was vulnerable to prototype pollution. If a JSON object with a `className` of `__proto__` was passed to this function, it could lead to polluting the `Object.prototype`. The vulnerability is confirmed by the added tests, and the fix is in the underlying `decode` function and the creation of objects.
ParseObject.pin
src/ParseObject.ts
The `ParseObject.pin` function was vulnerable to prototype pollution. It uses internal APIs like `ObjectStateMutations` to manage the state of the object being pinned. Before the patch, these internal APIs did not protect against prototype pollution, making `pin` an attack vector.

WAF Protection Rules

WAF Rule

### Summ*ry Prototyp* pollution **p**iliti*s on v*rious *PIs. ### **t*ils Inj**tion o* m*li*ious p*ylo** *llows *tt**k*r to r*mot*ly *x**ut* *r*itr*ry *o**. `P*rs*.O*j**t` *n* int*rn*l *PIs *r* *****t**, sp**i*i**lly: - `P*rs*O*j**t.*romJSON` - `P

Reasoning

T** vuln*r**ility is * *l*ssi* prototyp* pollution issu* in t** P*rs* J*v*s*ript S*K. T** root **us* is t** improp*r **n*lin* o* o*j**t k*ys in s*v*r*l p*rts o* t** *o****s*, w*i** *llow** *n *tt**k*r to mo*i*y t** `O*j**t.prototyp*` *y usin* m*li*io