Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta
- Severity:
- Medium
Description
The MongoDB explain() method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.5.0-alpha.5
- Patched version(s): 8.5.0-alpha.5
References
Related Issues
- Parse Server exposes the data schema via GraphQL API - CVE-2025-53364
- Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
- Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 13, 2025