Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format

Description

A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 8.0.0, <= 8.4.0-alpha.1

  >= 4.2.0, < 7.5.4**

• Patched version(s): **8.4.0-alpha.2

  7.5.4**

References

• GHSA-x4qj-2f4q-r4rx
• CVE-2025-64430
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
• Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
• Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
• uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086

You might also like:

Is your robots.txt file vulnerable? Here's how to check and secure it

Exploiting Server Version Disclosure

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

parse-server