CVE-2025-68115
Unknown Unknown - Not Provided
Reflected XSS in Parse Server Password Reset and Email Pages

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68115
EUVD
EUVD-2025-203485
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
parse parse_server 8.6.1
parse parse_server 9.1.0-alpha.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow attackers to inject malicious scripts into the password reset and email verification pages of Parse Server. Exploiting this could lead to unauthorized script execution in users' browsers, potentially compromising user data confidentiality and integrity to a limited extent. The impact includes low confidentiality and integrity impact, with no effect on availability. Attackers can exploit this remotely without privileges but require user interaction. [3]

Executive Summary

CVE-2025-68115 is a Reflected Cross-Site Scripting (XSS) vulnerability in Parse Server's password reset and email verification HTML pages. It occurs because user-controlled inputs are not properly escaped before being inserted into these pages, allowing attackers to inject malicious scripts. This vulnerability affects versions prior to 8.6.1 and 9.1.0-alpha.3. The issue was fixed by changing the template variable interpolation from unescaped triple-brace syntax to escaped double-brace syntax, preventing script injection. [1, 2, 3]

Mitigation Strategies

To mitigate CVE-2025-68115, you should immediately update your Parse Server to version 8.6.1 or later, or to version 9.1.0-alpha.3 or later. These versions include patches that properly escape user-controlled input in the password reset and email verification HTML pages, preventing the reflected XSS vulnerability. No known workarounds exist, so applying the official patch is the recommended and effective mitigation step. [1, 3]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows reflected Cross-Site Scripting (XSS) attacks that could lead to unauthorized script execution and potential compromise of user data confidentiality and integrity to a limited extent, it could pose risks to compliance with data protection regulations that require safeguarding personal data against unauthorized access or disclosure. Remediation by applying the official patches is necessary to mitigate these risks. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68115. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart