Miggo Logo
Miggo Vulnerability Database
CVE-2025-53364

CVE-2025-53364: Parse Server exposes the data schema via GraphQL API

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-53364
GHSA ID
GHSA-48q3-prgv-gm4w
EPSS Score
0.05772%
CWE
CWE-497
Published
7/10/2025
Updated
7/10/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-servernpm>= 8.0.0, < 8.2.28.2.2
parse-servernpm>= 5.3.0, < 7.5.37.5.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the Parse Server's GraphQL API, which, by default, allowed public schema introspection without requiring any authentication. This could expose sensitive metadata about the database schema, increasing the application's attack surface.

The analysis of the provided patches, specifically commits 269f4cee57d44eeb0eb1acd5e8e197f3136d87cf and af882e2d31db29b3f90ccd424c46f3f545ec3b8c, reveals two key areas of change that address this vulnerability.

First, the _createApolloServer method within the ParseGraphQLServer class was identified as the root cause. In vulnerable versions, this method hardcoded the introspection option for the Apollo Server to true. The patch changes this to respect a new configuration setting, graphQLPublicIntrospection, which defaults to false, thus disabling public introspection.

Second, a new Apollo Server plugin, IntrospectionControlPlugin, was introduced. This plugin implements the access control logic in its didResolveOperation method. This method inspects each GraphQL query. If it's an introspection query and the request does not provide a master or maintenance key, the plugin throws an error, effectively blocking unauthorized schema access. The presence of this function in a runtime profile would indicate that the patched version is in use and the check is being performed.

Therefore, the vulnerable function is ParseGraphQLServer._createApolloServer because it sets up the insecure configuration, and the IntrospectionControlPlugin.requestDidStart.didResolveOperation function is a key runtime indicator of the fix, as its absence is what constitutes the vulnerability.

Vulnerable functions

ParseGraphQLServer._createApolloServer
src/GraphQL/ParseGraphQLServer.js
This function is responsible for creating and configuring the Apollo GraphQL server. Before the patch, it unconditionally enabled GraphQL introspection (`introspection: true`), which made the database schema publicly accessible without any authentication. The patch modifies this function to make introspection configurable and disabled by default.
IntrospectionControlPlugin.requestDidStart.didResolveOperation
src/GraphQL/ParseGraphQLServer.js
This function was added as part of the patch to fix the vulnerability. It's an Apollo Server plugin that checks every incoming GraphQL request. If the request is an introspection query (i.e., it contains '__schema') and the user is not authenticated with a master or maintenance key, the request is blocked. The absence of this check in vulnerable versions is what allowed the information disclosure.

WAF Protection Rules

WAF Rule

### Imp**t T** P*rs* S*rv*r *r*p*QL *PI pr*viously *llow** pu*li* ****ss to t** *r*p*QL s***m* wit*out r*quirin* * s*ssion tok*n or t** m*st*r k*y. W*il* s***m* introsp**tion r*v**ls only m*t***t* *n* not **tu*l **t*, t*is m*t***t* **n still *xp*n*

Reasoning

T** vuln*r**ility li*s in t** P*rs* S*rv*r's *r*p*QL *PI, w*i**, *y ****ult, *llow** pu*li* s***m* introsp**tion wit*out r*quirin* *ny *ut**nti**tion. T*is *oul* *xpos* s*nsitiv* m*t***t* **out t** **t***s* s***m*, in*r**sin* t** *ppli**tion's *tt**k