parse-server is vulnerable to Information Disclosure
63
Medium Risk
Parse Server's GraphQL API produces validation and input-coercion error messages that embed the target class names of Pointer and Relation fields. When the GraphQL API is mounted with public schema introspection disabled, these errors are returned to unauthenticated callers who possess only the public application ID, before authentication, CLP/ACL authorization, or any resolver runs. An attacker who knows only a Pointer or Relation field name can reconstruct otherwise-hidden schema class names, partially defeating schema hiding. The fix extends the GraphQL error-message sanitizer to redact schema type identifiers from these error templates for unauthenticated callers while preserving type names the caller referenced in their own operation.
You are affected if you are using a version that falls within the vulnerable range and you mount the GraphQL API with public schema introspection disabled.
parse-server is vulnerable to Information Disclosure in versions 8.2.2 - 8.6.86 and 9.0.0 - 9.9.0.
Upgrade the parse-server library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant