CVE-2025-67727 Overview
Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. A Code Injection vulnerability (CWE-94) exists in versions prior to 8.6.0-alpha.2 where a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions. This misconfiguration gives the workflow access to GitHub secrets and write permissions which are defined in the workflow, potentially allowing code from a fork or lifecycle scripts to be executed with elevated privileges.
Critical Impact
Attackers could leverage this vulnerability to access sensitive GitHub secrets and execute malicious code within the CI/CD pipeline, potentially compromising the software supply chain for Parse Server and its downstream users.
Affected Products
- Parse Server versions prior to 8.6.0-alpha.2
- Parse Server version 8.6.0-alpha1
- Public GitHub forks with GitHub Actions enabled
Discovery Timeline
- December 12, 2025 - CVE-2025-67727 published to NVD
- December 22, 2025 - Last updated in NVD database
Technical Details for CVE-2025-67727
Vulnerability Analysis
This vulnerability represents a supply chain security risk within the Parse Server project's CI/CD infrastructure. The root issue stems from improper configuration of GitHub Actions workflows that process code from untrusted sources (forks) while maintaining elevated permissions to repository secrets and write access.
When a pull request is submitted from a forked repository, the CI workflow executes with permissions that should only be available to trusted code. This creates an opportunity for attackers to craft malicious pull requests containing code that, when executed by the CI pipeline, can exfiltrate secrets or modify repository contents.
The vulnerability specifically affects the repository's CI/CD infrastructure rather than the Parse Server application itself. However, compromise of the CI/CD pipeline could lead to malicious code being injected into official releases.
Root Cause
The vulnerability originates from a GitHub Actions workflow configuration that fails to properly isolate untrusted code execution from privileged operations. The workflow grants elevated permissions (access to secrets, write permissions) to runs that may include code from external contributors via pull requests from forks. Additionally, lifecycle scripts from dependencies could be included in the execution context, providing another vector for malicious code execution.
Attack Vector
The attack can be executed remotely over the network without any privileges or user interaction required. An attacker would:
- Fork the Parse Server repository
- Create a malicious pull request containing code designed to exfiltrate secrets or execute arbitrary commands
- Submit the pull request to trigger the CI workflow
- The workflow executes with elevated permissions, allowing the malicious code to access GitHub secrets or write to the repository
The patches address this by modifying how the build configuration and GraphQL schema handle object types and reserved names:
return wrap(t.identifier('objectParser'));
} else if (t.isBooleanTypeAnnotation(elt)) {
return wrap(t.identifier('booleanParser'));
+ } else if (t.isObjectTypeAnnotation(elt)) {
+ return wrap(t.identifier('objectParser'));
} else if (t.isGenericTypeAnnotation(elt)) {
const type = elt.typeAnnotation.id.name;
if (type == 'Adapter') {
Source: GitHub Commit e3d27fe
'DeleteClassPayload',
'PageInfo',
];
-const RESERVED_GRAPHQL_QUERY_NAMES = ['health', 'viewer', 'class', 'classes'];
+const RESERVED_GRAPHQL_QUERY_NAMES = ['health', 'viewer', 'class', 'classes', 'cloudConfig'];
const RESERVED_GRAPHQL_MUTATION_NAMES = [
'signUp',
'logIn',
Source: GitHub Commit e3d27fe
Detection Methods for CVE-2025-67727
Indicators of Compromise
- Unexpected or unauthorized workflow runs triggered from forked repositories
- Unusual secret access patterns in GitHub Actions audit logs
- Modifications to repository contents or releases not corresponding to legitimate developer activity
- New or modified workflow files appearing in pull requests from unknown contributors
Detection Strategies
- Monitor GitHub Actions workflow runs for executions originating from forked repositories
- Review GitHub audit logs for unauthorized access to repository secrets
- Implement branch protection rules requiring approval before workflows run on external contributions
- Enable GitHub's secret scanning and push protection features
Monitoring Recommendations
- Set up alerts for workflow runs from forked repositories that access sensitive secrets
- Monitor for any unexpected changes to workflow definition files (.github/workflows/)
- Review all pull requests from external contributors for suspicious lifecycle scripts or workflow triggers
- Audit GitHub Actions permissions and secret scopes regularly
How to Mitigate CVE-2025-67727
Immediate Actions Required
- Upgrade Parse Server to version 8.6.0-alpha.2 or later immediately
- Review GitHub Actions workflow configurations for proper permission scoping
- Rotate any secrets that may have been exposed to untrusted workflow runs
- Audit recent workflow runs from forked repositories for signs of compromise
Patch Information
The vulnerability has been fixed in Parse Server version 8.6.0-alpha.2. The patches are available in commits 6b9f896 and e3d27fe. Users should update to the patched version by running:
npm update parse-server@8.6.0-alpha.2
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-6w8g-mgvv-3fcj.
Workarounds
- Disable GitHub Actions on public forks until the patch can be applied
- Configure workflows to use pull_request_target with caution, ensuring no untrusted code is checked out before secret access
- Implement manual approval gates for workflow runs from external contributors
- Restrict workflow permissions to the minimum required using the permissions key in workflow files
# Example workflow permission restriction in .github/workflows/ci.yml
# Add to the top of your workflow file:
permissions:
contents: read
pull-requests: read
# Avoid granting write permissions or secrets access to workflows triggered by forks
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
