Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta
- Severity:
- Medium
Description
The MongoDB explain() method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.5.0-alpha.5
- Patched version(s): 8.5.0-alpha.5
References
Related Issues
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 13, 2025