CVE-2025-53364

Published: Jul 10, 2025Modified: Jul 15, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2.

Related CWEs

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

References (3)

https://github.com/parse-community/parse-server/pull/9819

Source: security-advisories@github.com

https://github.com/parse-community/parse-server/pull/9820

Source: security-advisories@github.com

https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w

Source: security-advisories@github.com

Timeline

No history available yet.