CVE-2025-30168: 
JavaScript vulnerability analysis and mitigation

Parse Server, an open source backend deployable on Node.js infrastructure, was found to contain a security vulnerability in versions prior to 7.5.2 and 8.0.2. The vulnerability allows authentication credentials of specific third-party authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app could be used to authenticate the same user in the other app. This vulnerability specifically affects Parse Server apps that use affected third-party authentication providers for user authentication, configured through the Parse Server 'auth' option (GitHub Advisory).

The vulnerability has been assigned CVE-2025-30168 with a CVSS v3.1 score of 6.9 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating that the vulnerability requires network access, has high attack complexity, requires no privileges, needs user interaction, has changed scope, and can result in high confidentiality impact with low integrity impact (GitHub Advisory).

The vulnerability allows attackers to use authentication credentials across different Parse Server applications, potentially leading to unauthorized access to user accounts across multiple applications that use the same authentication provider. This creates a significant security risk as it breaks the intended isolation between different Parse Server applications (GitHub Advisory).

The vulnerability has been fixed in Parse Server versions 7.5.2 and 8.0.2. The fix requires both a server upgrade and client app updates to send secure payloads. To facilitate gradual rollout, affected authentication adapters now include an enableInsecureAuth option that accepts both secure and insecure payloads from client apps. No workarounds are available; upgrading to a patched version is required (GitHub Advisory).