Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta
- Severity:
- Medium
Description
The MongoDB explain() method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.5.0-alpha.5
- Patched version(s): 8.5.0-alpha.5
References
Related Issues
- Parse Server exposes the data schema via GraphQL API - CVE-2025-53364
- parse-server: Malformed `$regex` query leaks database error details in API response - CVE-2026-30835
- Sensitive Data Exposure in parse-server - CVE-2019-1020013
- Information disclosure in parse-server - CVE-2020-5251
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know
Last updated on November 13, 2025