-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the Parse Server's GraphQL API, which, by default, allowed public schema introspection without requiring any authentication. This could expose sensitive metadata about the database schema, increasing the application's attack surface.
The analysis of the provided patches, specifically commits 269f4cee57d44eeb0eb1acd5e8e197f3136d87cf and af882e2d31db29b3f90ccd424c46f3f545ec3b8c, reveals two key areas of change that address this vulnerability.
First, the _createApolloServer method within the ParseGraphQLServer class was identified as the root cause. In vulnerable versions, this method hardcoded the introspection option for the Apollo Server to true. The patch changes this to respect a new configuration setting, graphQLPublicIntrospection, which defaults to false, thus disabling public introspection.
Second, a new Apollo Server plugin, IntrospectionControlPlugin, was introduced. This plugin implements the access control logic in its didResolveOperation method. This method inspects each GraphQL query. If it's an introspection query and the request does not provide a master or maintenance key, the plugin throws an error, effectively blocking unauthorized schema access. The presence of this function in a runtime profile would indicate that the patched version is in use and the check is being performed.
Therefore, the vulnerable function is ParseGraphQLServer._createApolloServer because it sets up the insecure configuration, and the IntrospectionControlPlugin.requestDidStart.didResolveOperation function is a key runtime indicator of the fix, as its absence is what constitutes the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| parse-server | npm | >= 8.0.0, < 8.2.2 | 8.2.2 |
| parse-server | npm | >= 5.3.0, < 7.5.3 | 7.5.3 |