CVE-2025-64502

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.5.0-alpha.5

Description Parse Server, an open-source backend deployable on Node.js infrastructures, allows any client to execute MongoDB explain() queries without requiring the master key. The explain() method reveals detailed information about query execution plans, including database schema structure, field names, index configurations, query optimization details, query execution statistics, and performance metrics. This exposure can potentially reveal attack vectors for database performance exploitation. A new configuration option, databaseOptions.allowPublicExplain, was introduced in version 8.5.0-alpha.5 to restrict explain queries to the master key. This option defaults to true to maintain compatibility with existing deployments.

Recommendations Upgrade to version 8.5.0-alpha.5 or later. Implement middleware to block explain queries from non-master-key requests. Monitor and alert on explain query usage in production environments.