{"id":"CVE-2025-57324","details":"parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.","aliases":["GHSA-9g8m-v378-pcg3"],"modified":"2026-01-09T19:15:59.010618Z","published":"2025-09-24T21:15:32.493Z","references":[{"type":"WEB","url":"https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/parse%405.3.0/index.js"},{"type":"ADVISORY","url":"https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57324"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/parse-community/parse-sdk-js","events":[{"introduced":"0"},{"last_affected":"c2019778eb06e6f7ea212c3f5a571b139f466dac"}]}],"versions":["2.1.0","2.10.0","2.11.0","2.12.0","2.13.0","2.14.0","2.15.0","2.16.0","2.17.0","2.18.0","2.19.0","2.2.0","2.2.1","2.3.0","2.3.1","2.3.2","2.4.0","2.5.0","2.5.1","2.6.0","2.7.0","2.7.1","2.8.0","2.9.0","2.9.1","3.0.0","3.1.0","3.2.0","3.3.0","3.3.1","3.3.2-alpha.1","3.4.0","3.4.0-alpha.1","3.4.0-alpha.2","3.4.0-alpha.3","3.4.1","3.4.2","3.4.2-alpha.1","3.4.3","3.4.3-alpha.1","3.4.3-alpha.2","3.4.3-alpha.3","3.4.4","3.4.4-alpha.1","3.4.4-alpha.2","3.4.4-beta.1","3.5.0","3.5.0-alpha.1","3.5.0-alpha.2","3.5.0-alpha.3","3.5.0-alpha.4","3.5.0-alpha.5","3.5.0-alpha.6","3.5.0-alpha.7","3.5.0-alpha.8","3.5.0-beta.1","3.5.1","3.5.1-alpha.1","3.5.1-alpha.2","3.5.1-beta.1","3.5.1-beta.2","4.0.0","4.0.0-alpha.1","4.0.0-alpha.10","4.0.0-alpha.11","4.0.0-alpha.12","4.0.0-alpha.2","4.0.0-alpha.3","4.0.0-alpha.4","4.0.0-alpha.5","4.0.0-alpha.6","4.0.0-alpha.7","4.0.0-alpha.8","4.0.0-alpha.9","4.0.0-beta.1","4.0.1","4.0.1-beta.1","4.1.0","4.1.0-alpha.1","4.1.0-alpha.2","4.1.0-alpha.3","4.1.0-alpha.4","4.1.0-beta.1","4.2.0","4.2.0-alpha.1","4.2.0-alpha.10","4.2.0-alpha.2","4.2.0-alpha.3","4.2.0-alpha.4","4.2.0-alpha.5","4.2.0-alpha.6","4.2.0-alpha.7","4.2.0-alpha.8","4.2.0-alpha.9","4.2.0-beta.1","4.3.0","4.3.0-alpha.1","4.3.0-alpha.2","4.3.0-alpha.3","4.3.0-alpha.4","4.3.0-alpha.5","4.3.0-alpha.6","4.3.0-beta.1","4.3.1","4.3.1-alpha.1","4.3.1-alpha.2","4.3.1-beta.1","5.0.0","5.0.0-alpha.1","5.0.0-alpha.2","5.0.0-alpha.3","5.0.0-alpha.4","5.0.0-beta.1","5.1.0","5.1.0-alpha.1","5.1.0-alpha.10","5.1.0-alpha.11","5.1.0-alpha.2","5.1.0-alpha.3","5.1.0-alpha.4","5.1.0-alpha.5","5.1.0-alpha.6","5.1.0-alpha.7","5.1.0-alpha.8","5.1.0-alpha.9","5.1.0-beta.1","5.1.1-alpha.1","5.2.0","5.2.0-alpha.1","5.2.0-alpha.2","5.2.0-alpha.3","5.2.0-alpha.4","5.2.0-beta.1","5.2.0-beta.2","5.3.0","5.3.0-alpha.1","5.3.0-alpha.2","5.3.0-beta.1","v1.10.0","v1.11.0","v1.11.1","v1.6.11","v1.6.12","v1.6.13","v1.6.14","v1.6.4","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.6.9","v1.7.0","v1.7.0-rc1","v1.7.1","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.9.1","v1.9.2","v2.0.0","v2.0.1","v2.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57324.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}