CVE-2025-53364

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While sche...

Parse Server exposes the data schema via GraphQL API

Impact The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. Patches The issue has...

@kontaa/subgraph (>=1.0.1 <=1.2.3), @kontaa/utils (>=1.2.1 <=1.2.3) +4 more potentially affected by CVE-2025-53364 via parse-server (>=5.6.0 <=6.5.11)

parse-server NPM version =5.6.0, =1.0.1, =1.2.1, =2.4.46, =1.0.0, =1.0.1, =1.0.23 - servable-publishable =1.1.0 Source cves: CVE-2025-53364 Source advisory: OSV:GHSA-48Q3-PRGV-GM4W...

GHSA-48Q3-PRGV-GM4W Parse Server exposes the data schema via GraphQL API

Impact The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. Patches The issue has...

CVE-2025-53364

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While sche...

CVE-2025-53364 Parse Server exposes the data schema via GraphQL API

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While sche...

CVE-2025-53364

Summary (Parse Server - GraphQL Schema Information Disclosure, CVE-2025-53364) The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. This could expose API structure metadata (not actual data), potentially increasin...

CVE-2025-53364 Parse Server exposes the data schema via GraphQL API

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While sche...

CVE-2025-53364 Parse Server exposes the data schema via GraphQL API

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While sche...

PT-2025-29105 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions 5.3.0 through 7.5.3 Parse Server version 8.2.2 Description: Parse Server’s GraphQL API allowed public access to the GraphQL schema without requiring a session token or the master key in versions 5.3.0 through 7.5.3 and...

Parse Server 安全漏洞

Parse Server is an open source backend from Parse Platform Open Source that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 5.3.0 through 7.5.3 and prior to 8.2.2, which stems from the GraphQL API not validating a sessi...

@0x18b2ee/parse-server (>=3.10.1 <=3.11.0), @514labs/aurora-mcp (>=0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939 <=0.0.64) +408 more potentially affected by CVE-2025-29744 via pg-promise (>=0.9.8 <=11.5.4)

pg-promise NPM version =0.9.8, =3.10.1, =0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939, =0.0.65, =1.0.0, =1.1.2, =0.0.2, =0.0.3, =0.1.1, =9.3.8, =2.13.15, =2.0.0, =1.1.152, =1.0.1, =1.0.5, =1.0.10 and more Source cves: CVE-2025-29744 Source advisory: OSV:GHSA-FF9H-848C-4XFJ...

CVE-2024-29027

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulatio...

CVE-2023-32688

parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3...

CVE-2023-22474

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server wi...

CVE-2023-41058

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

CVE-2023-32689

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server vi...

CVE-2023-36475

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...

CVE-2022-39225

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39231

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...