7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-x4qj-2f4q-r4rx

EPSS Score

CWE

Published

11/5/2025

Updated

11/5/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-x4qj-2f4q-r4rx

GHSA-x4qj-2f4q-r4rx: Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format

Impact

A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response.

Patches

The feature has been implemented in Parse Server 4.2.0 but never worked and reliably crashes the server when trying to use it due to a bug in its implementation. Since the feature is not currently working, and due to its risky nature, it has been removed to address the vulnerability.

Workarounds

None.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-x4qj-2f4q-r4rx

GHSA-x4qj-2f4q-r4rx:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-x4qj-2f4q-r4rx

EPSS Score

CWE

Published

11/5/2025

Updated

11/5/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	>= 4.2.0, < 7.5.4	7.5.4
parse-server	npm	>= 8.0.0, <= 8.4.0-alpha.1	8.4.0-alpha.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Server-Side Request Forgery (SSRF) located in the file upload functionality of Parse Server. The root cause is the downloadFileFromURI function in src/Routers/FilesRouter.js, which makes an HTTP request to a user-provided URI without proper validation. This function is called by addFileDataIfNeeded when a file upload request specifies the uri format. The vulnerability is triggered within the POST route handler for /files/:fileName, which is defined in the expressRouter method of the FilesRouter class. The patch mitigates this vulnerability by completely removing the downloadFileFromURI and addFileDataIfNeeded functions, along with the call to addFileDataIfNeeded within the route handler, effectively disabling the feature of uploading files from a URI.

Vulnerable functions

downloadFileFromURI

src/Routers/FilesRouter.js

This function is vulnerable to Server-Side Request Forgery (SSRF) because it makes an HTTP GET request to a URI provided in the `uri` parameter without any validation. An attacker can supply a malicious URI to make the server perform arbitrary requests.

addFileDataIfNeeded

src/Routers/FilesRouter.js

This function acts as a wrapper that calls the vulnerable `downloadFileFromURI` function. It checks if the file upload request contains a `uri` format and, if so, passes the user-provided URI to `downloadFileFromURI`, triggering the SSRF vulnerability.

FilesRouter.expressRouter

src/Routers/FilesRouter.js

The `expressRouter` method in the `FilesRouter` class contains the route handler for file uploads. The vulnerability is triggered within this handler, which, before the patch, would call `addFileDataIfNeeded` if a file was being uploaded via a URI. The removal of this call is part of the patch that mitigates the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-x4qj-2f4q-r4rx: Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format

Impact

Patches

Workarounds

GHSA-x4qj-2f4q-r4rx:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

GHSA-x4qj-2f4q-r4rx: Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format

Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI