Parse Server versions prior to 4.10.0 were exposed to a supply‑chain incident where malicious Git tags were pushed to the official repository. These tags pointed to an unreviewed personal fork of a contributor with write access. A project that listed a git‑based dependency referencing one of those tags (for example, parse-server#4.9.3) could pull code that was not scrutinized by the project maintainers. While no active malicious code was discovered, the possibility of injected vulnerabilities could not be ruled out. The weakness is a supply‑chain manipulation (CWE‑494) that can lead to arbitrary code execution if the injected code is later executed at runtime.

All installations of parse-community:parse-server with a version older than 4.10.0 are affected. The vulnerability arises when the application or its dependencies reference any Git tag that was compromised during the incident. The issue does not impact newer releases released after 4.10.0.

The severity of the flaw is a CVSS score of 7.7, indicating a high impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack path requires a developer or release pipeline to incorporate an affected Git tag; the vulnerability can be exploited indirectly through supply‑chain tampering. As the malicious code was not yet active, exploitation would depend on future changes by the malicious fork. Nevertheless, the possibility of arbitrary code execution warrants immediate remediation.