N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64502

GHSA ID

GHSA-7cx5-254x-cgrq

EPSS Score

0.18838%

CWE

CWE-201

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64502

CVE-2025-64502: Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details

Impact

The MongoDB explain() method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key. This exposes:

Database schema structure and field names
Index configurations and query optimization details
Query execution statistics and performance metrics
Potential attack vectors for database performance exploitation

Patches

A new databaseOptions.allowPublicExplain configuration option has been introduced that allows to restrict explain queries to the master key. The option defaults to true for now to avoid a breaking change in production systems that depends on public explain availability. In addition, a security warning is logged when the option is not explicitly set, or set to true. In a future major release of Parse Server, the default will change to false.

Workarounds

Implementing middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64502

CVE-2025-64502:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64502

GHSA ID

GHSA-7cx5-254x-cgrq

EPSS Score

0.18838%

CWE

CWE-201

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	< 8.5.0-alpha.5	8.5.0-alpha.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows any client to execute MongoDB explain queries, which can expose sensitive database information. The patch addresses this by introducing a new configuration option, allowPublicExplain, and adding a check within the runFindTriggers function in src/rest.js. This function is the central point for handling find queries. The patch adds logic to this function to check if an explain query is being made (restOptions.explain) and if the request is from a user without master key privileges (!auth.isMaster). If allowPublicExplain is configured to be false, it throws an error, preventing the unauthorized execution of the explain query. The vulnerability, therefore, exists in the runFindTriggers function due to the absence of this authorization check in the vulnerable versions. The other modified files are related to the implementation of the new configuration option and associated security checks, but the core vulnerable logic is within runFindTriggers.

Vulnerable functions

runFindTriggers

src/rest.js

The vulnerability lies in the `runFindTriggers` function, which is responsible for handling find operations. Before the patch, this function did not perform any authorization checks when the `explain` parameter was present in the request options (`restOptions`). This allowed any user, even without the master key, to execute a MongoDB `explain` query by simply adding `explain: true` to their query. The `explain` command exposes sensitive information about the database schema, indexes, and query performance. The patch mitigates this by adding a check to verify if the user has master key privileges (`auth.isMaster`) whenever `restOptions.explain` is true and the new `allowPublicExplain` setting is `false`.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64502: Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details

Impact

Patches

Workarounds

CVE-2025-64502:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-64502: Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details

Impact

Patches

Workarounds

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI