CVE-2025-62374: 
JavaScript vulnerability analysis and mitigation

CVE-2025-62374 affects Parse Javascript SDK versions prior to 7.0.0, where a prototype pollution vulnerability exists in Parse.Object and internal APIs. The vulnerability was discovered and disclosed on October 14, 2025, impacting multiple components including ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) functionalities (GitHub Advisory).

The vulnerability is classified as a prototype pollution issue (CWE-1321) that allows injection of malicious payload enabling remote code execution. The vulnerability has received a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L. This indicates the vulnerability is network-accessible, requires low attack complexity and privileges, needs no user interaction, has changed scope, and can impact both confidentiality and availability (GitHub Advisory, NVD).

The vulnerability allows attackers to execute arbitrary code remotely through prototype pollution. This affects the core functionality of Parse Javascript SDK, potentially compromising applications that use the affected versions for their backend operations (GitHub Advisory).

The vulnerability has been fixed in Parse Javascript SDK version 7.0.0. Users are strongly advised to upgrade to this version or later. The fix includes comprehensive protection against prototype pollution across all mutation surfaces, including the implementation of prototype-free objects and dangerous key checks (Parse Release).