CVE-2025-53364: Parse Server exposes the data schema via GraphQL API

July 10, 2025

The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.

References

github.com/advisories/GHSA-48q3-prgv-gm4w
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/9819
github.com/parse-community/parse-server/pull/9820
github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w
nvd.nist.gov/vuln/detail/CVE-2025-53364

Code Behaviors & Features

Detect and mitigate CVE-2025-53364 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →