CVE-2025-62374
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parse | parse_sdk_js | 7.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62374 is a prototype pollution vulnerability in the Parse JavaScript SDK prior to version 7.0.0. It allows an attacker to inject malicious payloads through affected functions like ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, and internal modules such as ObjectStateMutations and encode/decode. This injection can lead to remote arbitrary code execution by manipulating the prototype chain of JavaScript objects, which can alter application behavior or security controls. The vulnerability was fixed by sanitizing dangerous keys, restricting property iterations to own properties, and using prototype-free internal data structures to prevent prototype pollution. [3, 4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely execute arbitrary code within applications using the affected Parse JavaScript SDK versions. Exploiting prototype pollution can lead to unauthorized code execution, denial of service, or data corruption by modifying the prototype of JavaScript objects. The attack requires low privileges, no user interaction, and can be performed remotely over the network, making it a significant security risk. The impact includes limited confidentiality exposure, no integrity impact, and some availability impact. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-62374, immediately upgrade the Parse JavaScript SDK to version 7.0.0 or later, as this version includes the patch that fixes the prototype pollution vulnerability. Avoid using affected methods such as ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, and internal APIs until the upgrade is applied. Additionally, review your usage of Parse SDK to ensure no untrusted input is passed to these APIs. Applying the official patch and following the updated SDK usage guidelines will prevent exploitation of this vulnerability. [2, 3, 4]