6.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62374

GHSA ID

GHSA-9f2h-7v79-mxw3

EPSS Score

CWE

CWE-1321

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62374

CVE-2025-62374: Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Summary

Prototype pollution capabilities on various APIs.

Details

Injection of malicious payload allows attacker to remotely execute arbitrary code. Parse.Object and internal APIs are affected, specifically:

ParseObject.fromJSON
ParseObject.pin
ParseObject.registerSubclass
ObjectStateMutations (internal)
encode/decode (internal)

PoC

Demonstrative tests added as part of the fix.

References

https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3
Patch https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62374

CVE-2025-62374:

6.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62374

GHSA ID

GHSA-9f2h-7v79-mxw3

EPSS Score

CWE

CWE-1321

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse	npm	< 7.0.0	7.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic prototype pollution issue in the Parse Javascript SDK. The root cause is the improper handling of object keys in several parts of the codebase, which allowed an attacker to modify the Object.prototype by using malicious keys like __proto__, constructor, or prototype.

The analysis of the patch commit 00973987f361368659c0c4dbf669f3897520b132 reveals that the fix involves two main strategies:

Introducing a new function isDangerousKey to explicitly check for and block malicious keys.
Changing the creation of internal objects from {} to Object.create(null) to prevent access to the Object.prototype.

The vulnerable functions were identified by locating where these fixes were applied. The core of the vulnerability lies in the internal decode, encode, and ObjectStateMutations modules, which were responsible for handling object data without proper validation. These internal vulnerabilities were then exposed through the public API of ParseObject, specifically in functions like fromJSON, registerSubclass, and pin, as stated in the security advisory.

The identified functions are the ones that would appear in a runtime profile when the vulnerability is triggered. An attacker would craft a malicious object and pass it to one of these functions, causing the prototype pollution to occur within the execution of that function.

Vulnerable functions

decode

src/decode.ts

The `decode` function recursively processed object properties without checking for dangerous keys like `__proto__`. This allowed an attacker to inject a malicious payload that would pollute the Object prototype when decoded.

encode

src/encode.ts

The `encode` function recursively processed object properties without checking for dangerous keys. This could lead to prototype pollution if a malicious object with a `__proto__` key was passed to it.

setServerData

src/ObjectStateMutations.ts

The `setServerData` function in `ObjectStateMutations` was vulnerable to prototype pollution because it iterated over attributes of an object and assigned them to `serverData` without checking for dangerous keys like `__proto__`.

setPendingOp

src/ObjectStateMutations.ts

The `setPendingOp` function in `ObjectStateMutations` did not validate the `attr` parameter, allowing a malicious attribute name to be set as a pending operation, leading to prototype pollution.

mergeFirstPendingState

src/ObjectStateMutations.ts

The `mergeFirstPendingState` function in `ObjectStateMutations` was vulnerable as it merged pending operations without checking for dangerous attribute names, which could lead to prototype pollution.

estimateAttribute

src/ObjectStateMutations.ts

The `estimateAttribute` function in `ObjectStateMutations` did not validate the `attr` parameter. A malicious attribute could be passed to access and potentially pollute the prototype chain.

estimateAttributes

src/ObjectStateMutations.ts

The `estimateAttributes` function in `ObjectStateMutations` iterated through pending operations without checking for dangerous keys, making it vulnerable to prototype pollution.

commitServerChanges

src/ObjectStateMutations.ts

The `commitServerChanges` function in `ObjectStateMutations` was vulnerable because it processed changes from the server without validating attribute names, allowing for prototype pollution.

ParseObject.registerSubclass

src/ParseObject.ts

The `ParseObject.registerSubclass` function used a plain JavaScript object (`{}`) as a map for class names. By registering a subclass with a class name like `__proto__`, an attacker could pollute the `Object.prototype`. The fix was to use `Object.create(null)` to create a dictionary-like object without a prototype.

ParseObject.fromJSON

src/ParseObject.ts

The `ParseObject.fromJSON` function was vulnerable to prototype pollution. If a JSON object with a `className` of `__proto__` was passed to this function, it could lead to polluting the `Object.prototype`. The vulnerability is confirmed by the added tests, and the fix is in the underlying `decode` function and the creation of objects.

ParseObject.pin

src/ParseObject.ts

The `ParseObject.pin` function was vulnerable to prototype pollution. It uses internal APIs like `ObjectStateMutations` to manage the state of the object being pinned. Before the patch, these internal APIs did not protect against prototype pollution, making `pin` an attack vector.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62374: Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Summary

Details

PoC

References

CVE-2025-62374:

6.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

6.4

6.4

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-62374: Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Summary

Details

PoC

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI