CVE-2025-53364
published 2025-07-10CVE-2025-53364: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse…
PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.81%
52.4th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | — | — |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 5.3.0 < 7.5.3 | 7.5.3 |
| parse-community | parse-server | >= 8.0.0 < 8.2.2 | 8.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Send an unauthenticated GraphQL introspection query to /graphql with only X-Parse-Application-Id header (no session token or master key). A vulnerable server responds HTTP 200 with JSON body starting with {"data":{"__schema":{"types":[{"name":"Upload"}, ↗
- →Shodan dork to identify exposed Parse Server instances: http.title:"parse server" || "parse-server" or http.title:"parse dashboard" ↗
- →FOFA dork to identify exposed Parse Dashboard instances: title="parse dashboard" ↗
- →Vulnerability affects Parse Server versions starting from 5.3.0 up to (but not including) 7.5.3 and 8.2.2. Fixed in 7.5.3 and 8.2.2. ↗
- ·The Nuclei template uses a variable {{appid}} for the X-Parse-Application-Id header. A valid (but not necessarily privileged) Parse Application ID is required to trigger the vulnerability; the ID itself does not need to be a session token or master key. ↗
- ·Schema introspection reveals only metadata (type names, query structure), not actual stored data. The risk is indirect — exposure of API surface that can aid further attacks. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Parse Server exposes the data schema via GraphQL API
ghsa·2025-07-10
CVE-2025-53364 [MEDIUM] CWE-497 Parse Server exposes the data schema via GraphQL API
Parse Server exposes the data schema via GraphQL API
### Impact
The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.
### Patches
The issue has been addressed by requiring the master key for schema introspection. Additionally, a new Parse Server configuration option, `graphQLPublicIntrospection`, has been introduced. This option allows developers to re-enable public schema introspection if their application relies on it. However, it is strongly recommended to use this option only temporarily and to update the application to function without depending on public introspection.
OSV
Parse Server exposes the data schema via GraphQL API
osv·2025-07-10
CVE-2025-53364 [MEDIUM] Parse Server exposes the data schema via GraphQL API
Parse Server exposes the data schema via GraphQL API
### Impact
The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.
### Patches
The issue has been addressed by requiring the master key for schema introspection. Additionally, a new Parse Server configuration option, `graphQLPublicIntrospection`, has been introduced. This option allows developers to re-enable public schema introspection if their application relies on it. However, it is strongly recommended to use this option only temporarily and to update the application to function without depending on public introspection.
VulnCheck
parseplatform parse-server Exposure of Sensitive System Information to an Unauthorized Control Sphere
vulncheck·2025·CVSS 5.3
CVE-2025-53364 [MEDIUM] parseplatform parse-server Exposure of Sensitive System Information to an Unauthorized Control Sphere
parseplatform parse-server Exposure of Sensitive System Information to an Unauthorized Control Sphere
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2.
Affected: parseplatform parse-server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://da
No detection rules found.
Nuclei
Parse Server - GraphQL Schema Information Disclosure
nuclei·CVSS 5.3
CVE-2025-53364 [MEDIUM] Parse Server - GraphQL Schema Information Disclosure
Parse Server - GraphQL Schema Information Disclosure
The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.
Template:
id: CVE-2025-53364
info:
name: Parse Server - GraphQL Schema Information Disclosure
author: securitytaters
severity: medium
description: |
The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.
impact: |
Unauthenticated attackers can access GraphQL sch
No writeups or analysis indexed.
2025-07-10
Published
Exploited in the wild