cbcvebase.
CVE-2025-53364
published 2025-07-10

CVE-2025-53364: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse…

PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.81%
52.4th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2.

Affected

4 ranges
VendorProductVersion rangeFixed in
parse-communityparse-server
parse-communityparse-server
parse-communityparse-server>= 5.3.0 < 7.5.37.5.3
parse-communityparse-server>= 8.0.0 < 8.2.28.2.2

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /graphql HTTP/1.1
path/graphql
command{"query":"{\n __schema {\n types {\n name\n }\n }\n}"}
otherX-Parse-Application-Id
  • Send an unauthenticated GraphQL introspection query to /graphql with only X-Parse-Application-Id header (no session token or master key). A vulnerable server responds HTTP 200 with JSON body starting with {"data":{"__schema":{"types":[{"name":"Upload"},
  • Shodan dork to identify exposed Parse Server instances: http.title:"parse server" || "parse-server" or http.title:"parse dashboard"
  • FOFA dork to identify exposed Parse Dashboard instances: title="parse dashboard"
  • Vulnerability affects Parse Server versions starting from 5.3.0 up to (but not including) 7.5.3 and 8.2.2. Fixed in 7.5.3 and 8.2.2.
  • ·The Nuclei template uses a variable {{appid}} for the X-Parse-Application-Id header. A valid (but not necessarily privileged) Parse Application ID is required to trigger the vulnerability; the ID itself does not need to be a session token or master key.
  • ·Schema introspection reveals only metadata (type names, query structure), not actual stored data. The risk is indirect — exposure of API surface that can aid further attacks.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.