CVE-2025-67727
Elevated Permissions in Parse Server GitHub Actions Workflow
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parse_server | parse_server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the GitHub Actions CI/CD workflows of the parse-community/parse-server repository prior to version 8.6.0-alpha.2, specifically the workflow defined in `.github/workflows/ci-performance.yml`. To detect if your system is vulnerable, you should check if your repository or fork uses GitHub Actions workflows that trigger on `pull_request_target` and have elevated permissions such as write access to pull requests or issues, or access to GitHub secrets. You can inspect the workflow file with commands like `cat .github/workflows/ci-performance.yml` or use GitHub's UI to review workflow triggers and permissions. Look for the presence of `pull_request_target` triggers and permissions beyond `contents: read`. There are no specific network commands to detect exploitation since this is a CI configuration issue. Instead, detection involves auditing your GitHub Actions workflow files for the vulnerable configuration. [1, 2]
Can you explain this vulnerability to me?
This vulnerability in Parse Server versions prior to 8.6.0-alpha.2 involves the GitHub CI workflow being triggered in a way that grants the GitHub Actions workflow elevated permissions. This allows access to GitHub secrets and write permissions defined in the workflow. Potentially, code from a fork or lifecycle scripts could be included, affecting the repository's CI/CD infrastructure and any public GitHub forks with GitHub Actions enabled.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to GitHub secrets and write permissions within the CI/CD infrastructure of the repository. This could allow malicious code execution or unauthorized changes in the repository's workflows, potentially compromising the security and integrity of the software development process.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Parse Server to version 8.6.0-alpha.2 or later, which contains the fix for this vulnerability. Additionally, review and restrict GitHub Actions workflow permissions to avoid granting elevated access to secrets and write permissions, especially for workflows triggered by forks or lifecycle scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.