{"id":"CVE-2025-57324","details":"parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.","aliases":["GHSA-9g8m-v378-pcg3"],"modified":"2026-04-10T05:32:39.605034Z","published":"2025-09-24T21:15:32.493Z","references":[{"type":"WEB","url":"https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/parse%405.3.0/index.js"},{"type":"ADVISORY","url":"https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57324"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/parse-community/parse-sdk-js","events":[{"introduced":"0"},{"last_affected":"c2019778eb06e6f7ea212c3f5a571b139f466dac"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.3.0"}]}}],"versions":["2.1.0","2.10.0","2.11.0","2.12.0","2.13.0","2.14.0","2.15.0","2.16.0","2.17.0","2.18.0","2.19.0","2.2.0","2.2.1","2.3.0","2.3.1","2.3.2","2.4.0","2.5.0","2.5.1","2.6.0","2.7.0","2.7.1","2.8.0","2.9.0","2.9.1","3.0.0","3.1.0","3.2.0","3.3.0","3.3.1","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.5.0","3.5.1","4.0.0","4.0.1","4.1.0","4.2.0","4.3.0","4.3.1","5.0.0","5.1.0","5.2.0","5.3.0","v1.10.0","v1.11.0","v1.11.1","v1.6.11","v1.6.12","v1.6.13","v1.6.14","v1.6.4","v1.6.6","v1.6.7","v1.6.8","v1.6.9","v1.7.0","v1.7.0-rc1","v1.7.1","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.9.1","v1.9.2","v2.0.0","v2.0.1","v2.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57324.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}