CVE-2025-62374: 
JavaScript vulnerability analysis and mitigation

CVE-2025-62374 affects Parse Javascript SDK prior to version 7.0.0. The vulnerability allows attackers to perform prototype pollution through multiple components including ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) APIs. The vulnerability was discovered and disclosed on October 14, 2025 (GitHub Advisory).

The vulnerability is classified as a prototype pollution issue (CWE-1321) that enables injection of malicious payloads allowing remote code execution. It received a CVSS v3.1 base score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L, indicating network attack vector, low attack complexity, low privileges required, no user interaction needed, changed scope, and low impact on confidentiality and availability (NVD).

The vulnerability allows attackers to remotely execute arbitrary code by exploiting prototype pollution in multiple Parse SDK components. This affects the security of applications using the Parse Javascript SDK for backend interactions (GitHub Advisory).

The vulnerability has been fixed in Parse Javascript SDK version 7.0.0. Users should upgrade to version 7.0.0 or later to receive the security fix. The fix includes comprehensive protection against prototype pollution across all affected components (Parse SDK Release).