CVE-2025-64502
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-05-07
AI Q&A
2025-11-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64502
EUVD
EUVD-2025-50823
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parse parse_server *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Parse Server allows any client to execute MongoDB explain() queries without requiring the master key prior to version 8.5.0-alpha.5. The explain() method reveals detailed information about database query execution plans, including schema structure, field names, index configurations, query optimization details, and performance metrics. This exposure can provide attackers with insights to exploit database performance or structure.


How can this vulnerability impact me? :

The vulnerability can expose sensitive database schema details and query performance information to unauthorized clients. This can lead to potential exploitation of database performance, unauthorized data inference, and increased risk of targeted attacks on the database infrastructure.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and alerting on the usage of explain queries in your Parse Server environment, especially those executed without the master key. Since the vulnerability involves unauthorized explain queries revealing database details, you should look for explain query requests in your server logs or network traffic. There are no specific commands provided, but implementing middleware to log or block explain queries from non-master-key requests is recommended.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include configuring the new databaseOptions.allowPublicExplain option to restrict explain queries to requests authenticated with the master key. Although this option currently defaults to true, explicitly setting it to false will prevent public explain queries. Additionally, implement middleware to block explain queries from non-master-key requests and monitor explain query usage to detect potential exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart