CVE-2025-64430: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Parse Server versions >= 4.2.0, < 7.5.4 and >= 8.0.0, <= 8.4.0-alpha.1, identified as CVE-2025-64430. The vulnerability exists in the file upload functionality when attempting to upload a Parse.File with a URI parameter, which allows execution of arbitrary URIs. While the server attempts to retrieve file data from the provided URI, it crashes upon receiving the response without storing the file in Parse Server's storage (GitHub Advisory).

The vulnerability is classified as High severity with a CVSS score of 7.5. The attack vector is Network-based with low complexity, requiring no privileges or user interaction. The scope is unchanged, with no impact on confidentiality or integrity, but high impact on availability. The vulnerability was introduced in Parse Server 4.2.0 through a file upload feature that was implemented but never worked correctly due to implementation bugs (GitHub Advisory).

When exploited, the vulnerability causes the server to crash upon receiving the response from the malicious URI request. While the attacker cannot achieve data exfiltration through file storage (as the server crashes before storage), the vulnerability can be used to impact service availability through server crashes (GitHub Advisory).

The vulnerability has been patched in versions 7.5.4 and 8.4.0-alpha.2. The fix involved completely removing the problematic URI-based file upload feature, as it was deemed risky and had never worked correctly. No workarounds are available for affected versions; upgrading to a patched version is required (GitHub Advisory).