CVE-2025-64502: Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
The MongoDB explain() method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key. This exposes:
- Database schema structure and field names
- Index configurations and query optimization details
- Query execution statistics and performance metrics
- Potential attack vectors for database performance exploitation
References
- github.com/advisories/GHSA-7cx5-254x-cgrq
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452
- github.com/parse-community/parse-server/pull/9890
- github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
- nvd.nist.gov/vuln/detail/CVE-2025-64502
Code Behaviors & Features
Detect and mitigate CVE-2025-64502 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →