CVE-2025-64430 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js. The vulnerability exists in the file upload functionality when attempting to upload a Parse.File with a uri parameter, allowing execution of arbitrary URIs against internal or external targets.
Critical Impact
This SSRF vulnerability allows unauthenticated attackers to force the Parse Server to make HTTP requests to arbitrary URIs, potentially exposing internal network services or causing denial of service conditions.
Affected Products
- Parse Server versions 4.2.0 through 7.5.3
- Parse Server versions 8.0.0 through 8.3.1-alpha.1
- Node.js deployments running vulnerable Parse Server instances
Discovery Timeline
- 2025-11-07 - CVE CVE-2025-64430 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2025-64430
Vulnerability Analysis
The vulnerability stems from Parse Server's file upload feature, which allows users to upload files by providing a URI instead of direct file data. When a user submits a file upload request with a uri parameter, the Parse Server retrieves the file data from the specified URI without proper validation. This design flaw enables attackers to force the server to make outbound HTTP requests to arbitrary destinations.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches a remote resource without sufficiently validating the user-supplied URL. In this case, the server crashes upon receiving the response, resulting in a denial of service condition rather than data exfiltration.
Root Cause
The root cause lies in the downloadFileFromURI function within src/Routers/FilesRouter.js. This function uses Node.js's built-in http module to fetch content from user-supplied URIs without implementing proper URL validation, allowlisting, or blocklisting mechanisms. The addFileDataIfNeeded function checks if the file source format is uri and then directly invokes the download function with the untrusted URI.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can craft a malicious file upload request containing a uri parameter pointing to internal network resources (such as http://localhost:6379 for Redis, http://169.254.169.254 for cloud metadata services, or internal API endpoints). When the Parse Server processes this request, it initiates an HTTP GET request to the specified URI, potentially:
- Probing internal network services for reconnaissance
- Accessing cloud provider metadata endpoints
- Interacting with internal APIs that trust local traffic
- Causing server crashes leading to denial of service
// Vulnerable code removed in security patch (src/Routers/FilesRouter.js)
// Source: https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51
import Config from '../Config';
import logger from '../logger';
const triggers = require('../triggers');
-const http = require('http');
const Utils = require('../Utils');
-const downloadFileFromURI = uri => {
- return new Promise((res, rej) => {
- http
- .get(uri, response => {
- response.setDefaultEncoding('base64');
- let body = `data:${response.headers['content-type']};base64,`;
- response.on('data', data => (body += data));
- response.on('end', () => res(body));
- })
- .on('error', e => {
- rej(`Error downloading file from ${uri}: ${e.message}`);
- });
- });
-};
-
-const addFileDataIfNeeded = async file => {
- if (file._source.format === 'uri') {
- const base64 = await downloadFileFromURI(file._source.uri);
- file._previousSave = file;
- file._data = base64;
- file._requestTask = null;
- }
- return file;
-};
Detection Methods for CVE-2025-64430
Indicators of Compromise
- Unexpected outbound HTTP requests originating from Parse Server processes to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- HTTP requests to cloud metadata endpoints such as 169.254.169.254 from Parse Server
- Parse Server crash logs indicating errors during file upload operations with URI-based sources
- Unusual network traffic patterns from Parse Server to localhost or internal services
Detection Strategies
- Monitor Parse Server application logs for file upload requests containing uri parameters with internal or suspicious destinations
- Implement network-level monitoring for outbound HTTP traffic from Parse Server nodes to internal network ranges
- Deploy Web Application Firewall (WAF) rules to detect and block file upload requests with uri parameters pointing to restricted addresses
- Use SentinelOne Singularity Platform to detect anomalous network behavior from Node.js processes
Monitoring Recommendations
- Enable detailed access logging for Parse Server file upload endpoints
- Configure alerts for Parse Server process crashes or restarts that may indicate exploitation attempts
- Monitor DNS queries from Parse Server instances for resolution of internal hostnames or metadata service domains
- Implement egress filtering and logging to track all outbound connections from Parse Server infrastructure
How to Mitigate CVE-2025-64430
Immediate Actions Required
- Upgrade Parse Server to version 7.5.4 or 8.4.0-alpha.1 immediately to apply the security fix
- If immediate upgrade is not possible, disable or restrict access to the file upload endpoint
- Implement network-level controls to block outbound requests from Parse Server to sensitive internal resources
- Review Parse Server logs for any evidence of exploitation attempts
Patch Information
The Parse Server development team has addressed this vulnerability by completely removing the URI-based file download functionality. The fix eliminates the downloadFileFromURI function and the addFileDataIfNeeded helper that processed URI-based file uploads. Users should upgrade to the patched versions:
- Version 7.5.4 for the 7.x release branch
- Version 8.4.0-alpha.1 for the 8.x release branch
For detailed patch information, refer to the GitHub Security Advisory GHSA-x4qj-2f4q-r4rx and the related pull requests #9903 and #9904.
Workarounds
- Deploy a reverse proxy or WAF in front of Parse Server to filter file upload requests containing uri parameters
- Implement network segmentation to restrict Parse Server's ability to reach internal services
- Use firewall rules to block outbound traffic from Parse Server to internal IP ranges and cloud metadata endpoints
- Temporarily disable file upload functionality if the feature is not critical to operations
# Example: iptables rules to block SSRF attempts to internal networks and cloud metadata
# Block outbound connections to common internal ranges
iptables -A OUTPUT -m owner --uid-owner parseserver -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner parseserver -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner parseserver -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner parseserver -d 169.254.169.254 -j DROP
# Log blocked attempts for monitoring
iptables -A OUTPUT -m owner --uid-owner parseserver -d 127.0.0.0/8 -j LOG --log-prefix "SSRF_BLOCKED: "
iptables -A OUTPUT -m owner --uid-owner parseserver -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


