CVE-2021-47987
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
The vulnerability concerns a supply chain incident in Parse Server before version 4.10.0, where incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (e.g., parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
Risk Assessment
The risk for the organization is the potential exploitation of unauthorized code that could have contained security vulnerabilities, potentially leading to compromise of integrity, confidentiality, or availability of systems using Parse Server.
Recommendation
It is recommended to immediately update Parse Server to version 4.10.0 or later and verify that no git dependencies reference the affected tags (e.g., parse-server#4.9.3).
Original NVD description (English source)
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.

