CVE-2021-47987
Received Received - Intake
Parse Server Supply Chain Vulnerability Before 4.10.0

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2021-47987
EUVD
EUVD-2021-34853
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parse_server parse_server to 4.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves Parse Server versions before 4.10.0, where a supply chain incident occurred. Incorrect version tags were pushed to the official repository, pointing to an unreviewed personal fork of a contributor who had write access. Although no releases were published with these tags, a project could be exposed if it defined a git-based dependency referencing one of the affected tags (e.g., parse-server#4.9.3). The code behind these tags was not reviewed or approved, and while no malicious code was found, the possibility of introduced security vulnerabilities could not be ruled out.

Impact Analysis

If your project uses a git-based dependency referencing one of the affected incorrect version tags, it could be exposed to unreviewed code that might contain security vulnerabilities. This could lead to potential security risks such as unauthorized access, data compromise, or other impacts depending on the nature of the unreviewed code. However, no malicious code was identified in this incident.

Detection Guidance

This vulnerability affects Parse Server versions before 4.10.0 that define a git-based dependency referencing one of the affected incorrect version tags (e.g., parse-server#4.9.3). Detection involves checking if your project dependencies include such git-based references to these tags.

You can inspect your project's dependency files (such as package.json or package-lock.json) for git-based dependencies pointing to parse-server versions with tags like 4.9.3.

Example commands to detect this might include:

  • grep -r 'parse-server#4.9.3' ./
  • grep -r 'git+' ./
  • npm ls parse-server

These commands help identify if your project or its dependencies reference the affected tags or git-based dependencies that could be vulnerable.

Mitigation Strategies

To mitigate this vulnerability, immediately avoid using any git-based dependencies referencing the affected incorrect version tags of Parse Server (e.g., parse-server#4.9.3).

Upgrade your Parse Server dependency to version 4.10.0 or later, where this issue has been resolved.

Review your dependency definitions to ensure no unreviewed or personal forks are referenced.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47987. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart