Intel

AIKIDO-2026-898030

parse-server is vulnerable to Information Disclosure

Information DisclosureGHSA-r2g6-4f6j-f6rf Published Today

63

Medium Risk

This Affects:

JSparse-server
8.2.2 - 8.6.86
Fixed in 8.6.87
9.0.0 - 9.9.0
Fixed in 9.10.0
Are you affected? Scan for Free

TL;DR

Parse Server's GraphQL API produces validation and input-coercion error messages that embed the target class names of Pointer and Relation fields. When the GraphQL API is mounted with public schema introspection disabled, these errors are returned to unauthenticated callers who possess only the public application ID, before authentication, CLP/ACL authorization, or any resolver runs. An attacker who knows only a Pointer or Relation field name can reconstruct otherwise-hidden schema class names, partially defeating schema hiding. The fix extends the GraphQL error-message sanitizer to redact schema type identifiers from these error templates for unauthenticated callers while preserving type names the caller referenced in their own operation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you mount the GraphQL API with public schema introspection disabled.

Background info

parse-server is vulnerable to Information Disclosure in versions 8.2.2 - 8.6.86 and 9.0.0 - 9.9.0.

How to fix this

Upgrade the parse-server library to the patch version.