SCA: security update for parse-server (GHSA-x4qj-2f4q-r4rx)

high Tenable Self-Hosted Container Security Plugin ID 435946

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In
versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery
(SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri
parameter, allowing execution of an arbitrary URI. The vulnerability stems from a file upload feature in
which Parse Server retrieves the file data from a URI that is provided in the request. A request to the
provided URI is executed, but the response is not stored in Parse Server's file storage as the server
crashes upon receiving the response. This issue is fixed in versions 7.5.4 and 8.4.0-alpha.1.
(CVE-2025-64430)

See Also

https://github.com/advisories/GHSA-x4qj-2f4q-r4rx

Plugin Details

Severity: High

ID: 435946

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 11/6/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.22

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-64430

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/5/2025

Vulnerability Publication Date: 11/5/2025

Reference Information

CVE: CVE-2025-64430

cwe: CWE-918