Information Disclosure Risk in Parse Server by Parse Community
CVE-2025-64502

6.9MEDIUM

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64502?

Parse Server, an open source backend for Node.js, has a critical vulnerability that allows any client to execute the MongoDB explain() method without requiring the master key. This exposure can reveal sensitive information about database schema structures, index usage, performance metrics, and potential attack vectors. Version 8.5.0-alpha.5 introduces a new databaseOptions.allowPublicExplain setting to restrict access to explain queries, which defaults to true to maintain compatibility with existing systems. Users are advised to implement middleware to block these queries from non-master-key requests or to monitor their usage for enhanced security.

Affected Version(s)

parse-server < 8.5.0-alpha.5

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/9890
x_refsource_MISC
https://github.com/parse-community/parse-server/commit/44...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64502 : Information Disclosure Risk in Parse Server by Parse Community