Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-48q3-prgv-gm4w: Parse Server exposes the data schema via GraphQL API

Impact

The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.

Patches

The issue has been addressed by requiring the master key for schema introspection. Additionally, a new Parse Server configuration option, graphQLPublicIntrospection, has been introduced. This option allows developers to re-enable public schema introspection if their application relies on it. However, it is strongly recommended to use this option only temporarily and to update the application to function without depending on public introspection.

Workarounds

None available.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w
  • Fix for Parse Server 7: https://github.com/parse-community/parse-server/pull/9820
  • Fix for Parse Server 8: https://github.com/parse-community/parse-server/pull/9819
ghsa
#vulnerability#web#nodejs#git

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Models New

      Manage and compare prompts

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

*   Issues
    
    Plan and track work
    
*   Code Review
    
    Manage code changes
    
*   Discussions
    
    Collaborate outside of code
    
*   Code Search
    
    Find more, search less
  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights
    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-53364

Parse Server exposes the data schema via GraphQL API

Package

npm parse-server (npm)

Affected versions

>= 8.0.0, < 8.2.2

>= 5.3.0, < 7.5.3

Patched versions

8.2.2

7.5.3

Description

Impact

The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.

Patches

The issue has been addressed by requiring the master key for schema introspection. Additionally, a new Parse Server configuration option, graphQLPublicIntrospection, has been introduced. This option allows developers to re-enable public schema introspection if their application relies on it. However, it is strongly recommended to use this option only temporarily and to update the application to function without depending on public introspection.

Workarounds

None available.

References

  • GitHub security advisory: GHSA-48q3-prgv-gm4w
  • Fix for Parse Server 7: parse-community/parse-server#9820
  • Fix for Parse Server 8: parse-community/parse-server#9819

References

  • GHSA-48q3-prgv-gm4w
  • parse-community/parse-server#9819
  • parse-community/parse-server#9820

Published to the GitHub Advisory Database

Jul 10, 2025

Last updated

Jul 10, 2025

EPSS score

ghsa: Latest News

GHSA-ggmv-j932-q89q: Chall-Manager's HTTP Gateway is vulnerable to DoS due to missing header timeout