Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68115

CVE-2025-68115: Parse Server Reflected XSS Vulnerability

CVE-2025-68115 is a reflected cross-site scripting flaw in Parse Server's password reset and email verification pages. This article covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-68115 Overview

CVE-2025-68115 is a Reflected Cross-Site Scripting (XSS) vulnerability in Parse Server, an open source Node.js backend maintained by the Parse Platform community. The flaw affects the built-in password reset and email verification HTML pages, which render user-controlled values without proper output encoding. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in the context of the Parse Server origin. The issue is tracked under CWE-79 and is fixed in versions 8.6.1 and 9.1.0-alpha.3.

Critical Impact

Attackers can execute arbitrary JavaScript in a victim's browser via crafted password reset or email verification links, enabling session theft, credential harvesting, and account takeover.

Affected Products

  • Parse Server versions prior to 8.6.1
  • Parse Server 9.0.0 (including alpha releases alpha1 through alpha11)
  • Parse Server 9.1.0-alpha.1 and 9.1.0-alpha.2

Discovery Timeline

  • 2025-12-16 - CVE-2025-68115 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-68115

Vulnerability Analysis

Parse Server ships built-in HTML pages that handle the password reset and email verification workflows. These pages incorporate values supplied through URL parameters, such as tokens, usernames, and application identifiers, directly into the rendered HTML response. Prior to the patched releases, Parse Server did not escape these user-controlled values before insertion, allowing HTML and JavaScript payloads to break out of their intended context.

The vulnerability is reflected in nature, meaning the payload is delivered in the request and echoed back in the response without persistent storage. Exploitation requires user interaction: a victim must click a malicious link crafted by the attacker. Successful exploitation runs script under the Parse Server origin, exposing session cookies, tokens, and any data accessible to authenticated users of applications hosted on the affected instance.

Root Cause

The root cause is missing output encoding when rendering dynamic values inside the password reset and email verification HTML templates. The upstream fix, delivered in pull requests #9985 and #9986, applies HTML escaping to user-controlled inputs before they are inserted into the response body.

Attack Vector

An attacker constructs a URL pointing to the vulnerable password reset or email verification endpoint of a targeted Parse Server deployment. The URL embeds a JavaScript payload inside a parameter that gets reflected into the HTML. The attacker delivers this link through phishing email, social media, or malicious redirects. When the victim opens the link in a browser, the injected script executes in the Parse Server origin, enabling exfiltration of authentication tokens or in-browser actions performed as the victim. Detailed exploitation specifics are documented in the GitHub Security Advisory GHSA-jhgf-2h8h-ggxv.

Detection Methods for CVE-2025-68115

Indicators of Compromise

  • Web server or reverse proxy logs showing requests to password reset or email verification endpoints containing HTML tags, <script> fragments, javascript: URIs, or event-handler attributes such as onerror= and onload=.
  • Unusually long query strings on password reset or verification URLs, or URL-encoded payloads decoding to script content.
  • Referrer patterns showing users arriving at Parse Server endpoints from unexpected external domains prior to authentication anomalies.

Detection Strategies

  • Inspect HTTP access logs for requests to Parse Server routes that render password reset and email verification pages, filtering for parameters containing <, >, %3C, %3E, or common XSS keywords.
  • Deploy a Web Application Firewall (WAF) rule set that identifies reflected XSS patterns targeting the affected endpoints.
  • Correlate suspicious link clicks with subsequent authentication or session events for the same user to identify potential session hijacking.

Monitoring Recommendations

  • Enable a strict Content Security Policy (CSP) on the Parse Server origin and monitor CSP violation reports for unexpected inline script execution.
  • Track error rates and anomalous request volumes on password reset and email verification endpoints.
  • Alert on outbound requests from user browsers to unknown domains immediately after visiting Parse Server email flow URLs.

How to Mitigate CVE-2025-68115

Immediate Actions Required

  • Upgrade Parse Server to version 8.6.1 on the 8.x branch, or to 9.1.0-alpha.3 or later on the 9.x branch.
  • Audit web and application logs for prior requests to password reset and email verification endpoints containing script-like payloads.
  • Rotate any credentials or session tokens tied to accounts that may have followed suspicious reset or verification links.

Patch Information

The Parse Platform maintainers released fixes in Parse Server 8.6.1 and 9.1.0-alpha.3. The patches escape user-controlled values inserted into the password reset and email verification HTML pages. Technical details are available in GitHub Pull Request #9985, GitHub Pull Request #9986, and the GitHub Security Advisory GHSA-jhgf-2h8h-ggxv.

Workarounds

  • No official workarounds are available per the vendor advisory; upgrading is required.
  • As a compensating control, place a WAF or reverse proxy in front of Parse Server to block requests to password reset and email verification endpoints that contain HTML metacharacters or script keywords.
  • Enforce a restrictive Content Security Policy that disallows inline scripts on the Parse Server origin to reduce the impact of any residual reflection.
bash
# Upgrade Parse Server to a patched release using npm
npm install parse-server@8.6.1

# Or, for the 9.x pre-release branch
npm install parse-server@9.1.0-alpha.3

# Verify the installed version
npm ls parse-server

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.