CVE-2025-67727
Unknown Unknown - Not Provided
Elevated Permissions in Parse Server GitHub Actions Workflow

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0-alpha.2 and commits 6b9f896 and e3d27fe.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67727
EUVD
EUVD-2025-203056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parse_server parse_server *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Parse Server versions prior to 8.6.0-alpha.2 involves the GitHub CI workflow being triggered in a way that grants the GitHub Actions workflow elevated permissions. This allows access to GitHub secrets and write permissions defined in the workflow. Potentially, code from a fork or lifecycle scripts could be included, affecting the repository's CI/CD infrastructure and any public GitHub forks with GitHub Actions enabled.

Impact Analysis

The vulnerability can lead to unauthorized access to GitHub secrets and write permissions within the CI/CD infrastructure of the repository. This could allow malicious code execution or unauthorized changes in the repository's workflows, potentially compromising the security and integrity of the software development process.

Mitigation Strategies

Upgrade Parse Server to version 8.6.0-alpha.2 or later, which contains the fix for this vulnerability. Additionally, review and restrict GitHub Actions workflow permissions to avoid granting elevated access to secrets and write permissions, especially for workflows triggered by forks or lifecycle scripts.

Detection Guidance

This vulnerability affects the GitHub Actions CI/CD workflows of the parse-community/parse-server repository prior to version 8.6.0-alpha.2, specifically the workflow defined in `.github/workflows/ci-performance.yml`. To detect if your system is vulnerable, you should check if your repository or fork uses GitHub Actions workflows that trigger on `pull_request_target` and have elevated permissions such as write access to pull requests or issues, or access to GitHub secrets. You can inspect the workflow file with commands like `cat .github/workflows/ci-performance.yml` or use GitHub's UI to review workflow triggers and permissions. Look for the presence of `pull_request_target` triggers and permissions beyond `contents: read`. There are no specific network commands to detect exploitation since this is a CI configuration issue. Instead, detection involves auditing your GitHub Actions workflow files for the vulnerable configuration. [1, 2]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67727. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart