CVE-2025-67727
Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management
Description
Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0 and commits 6b9f896 and e3d27fe.
How to fix CVE-2025-67727
To remediate CVE-2025-67727, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.0 or later
Is CVE-2025-67727 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 8.6.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
References (4)
- WEBgithub.com/parse-community/parse-server/commit/6b9f8963cc3debf59cd9c5dfc5422aff9404ce9d
- WEBgithub.com/parse-community/parse-server/commit/e3d27fea08c8d8bdd9770a689bc2d757cda48b66
- WEBgithub.com/parse-community/parse-server/security/advisories/GHSA-6w8g-mgvv-3fcj
- WEBnvd.nist.gov/vuln/detail/CVE-2025-67727