5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68115

CVE-2025-68115: Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68115

CVE-2025-68115:

5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	< 8.6.1	8.6.1
parse-server	npm	>= 9.0.0, < 9.1.0-alpha.3	9.1.0-alpha.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic reflected Cross-Site Scripting (XSS) issue within Parse Server's password reset and email verification pages. The root cause is the use of unescaped Mustache template variables ({{{...}}}) instead of the HTML-escaped version ({{...}}).

My analysis of the provided patches, specifically commits f6e61029e8d77e06c7a9438b8a4f0fa6cea9a5db and 51f264b90b2d89d6a8889919238c63f461f9576d, confirms this. The changes in multiple HTML files (e.g., public/password_reset.html, public/email_verification_link_expired.html) consistently replace the triple curly braces with double curly braces for variables that can be controlled by an attacker through URL parameters (token, username, locale, publicServerUrl, appId).

The commits also show that the PublicAPIRouter.js was removed and replaced by PagesRouter.js, which is now responsible for handling these public-facing pages. Although the exact source code of the new PagesRouter.js methods is not in the diff, the functionality remains the same. The vulnerable functions are those that render these templates.

Based on the functionality and the routes tested in the patch (/apps/choose_password), I've identified the methods responsible for handling the GET requests for the password reset and email verification pages as the vulnerable functions. During an exploit, these are the functions that would process the malicious input from the URL and trigger the rendering of the vulnerable templates, causing them to appear in a runtime profile or stack trace.

Vulnerable functions

PagesRouter.changePassword

src/Routers/PagesRouter.js

The `changePassword` function (or a similarly named function in `PagesRouter`) renders the password reset page (`password_reset.html`). This function takes user-controlled parameters from the request URL, such as `token`, `username`, and `locale`, and passes them to the Mustache template engine. The template used triple curly braces (`{{{...}}}`) to render these values, which does not perform HTML escaping. This allows an attacker to inject malicious scripts into the `value` attributes of hidden input fields, leading to a reflected Cross-Site Scripting (XSS) vulnerability. When a user visits a crafted password reset link, the malicious script would execute in their browser.

PagesRouter.verifyEmail

src/Routers/PagesRouter.js

The `verifyEmail` function (or a similarly named function in `PagesRouter`) handles email verification links. When a link is expired or invalid, it renders the `email_verification_link_expired.html` page. This function passes user-controlled parameters from the URL, such as `token` and `locale`, to the template. The template used triple curly braces (`{{{...}}}`), which does not escape the values. This allows an attacker to inject malicious scripts into the `value` attribute of hidden input fields or the `action` attribute of the form, leading to a reflected Cross-Site Scripting (XSS) vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68115: Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables

CVE-2025-68115:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.3

5.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2025-68115: Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI