CVE-2025-68115
Reflected XSS in Parse Server Password Reset and Email Pages
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parse | parse_server | 8.6.1 |
| parse | parse_server | 9.1.0-alpha.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious scripts into the password reset and email verification pages of Parse Server. Exploiting this could lead to unauthorized script execution in users' browsers, potentially compromising user data confidentiality and integrity to a limited extent. The impact includes low confidentiality and integrity impact, with no effect on availability. Attackers can exploit this remotely without privileges but require user interaction. [3]
Can you explain this vulnerability to me?
CVE-2025-68115 is a Reflected Cross-Site Scripting (XSS) vulnerability in Parse Server's password reset and email verification HTML pages. It occurs because user-controlled inputs are not properly escaped before being inserted into these pages, allowing attackers to inject malicious scripts. This vulnerability affects versions prior to 8.6.1 and 9.1.0-alpha.3. The issue was fixed by changing the template variable interpolation from unescaped triple-brace syntax to escaped double-brace syntax, preventing script injection. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-68115, you should immediately update your Parse Server to version 8.6.1 or later, or to version 9.1.0-alpha.3 or later. These versions include patches that properly escape user-controlled input in the password reset and email verification HTML pages, preventing the reflected XSS vulnerability. No known workarounds exist, so applying the official patch is the recommended and effective mitigation step. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows reflected Cross-Site Scripting (XSS) attacks that could lead to unauthorized script execution and potential compromise of user data confidentiality and integrity to a limited extent, it could pose risks to compliance with data protection regulations that require safeguarding personal data against unauthorized access or disclosure. Remediation by applying the official patches is necessary to mitigate these risks. [3]