Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-wu9b-cdwh-mka2
Vulnerability ID VCID-wu9b-cdwh-mka2
Aliases CVE-2025-64502
GHSA-7cx5-254x-cgrq
Summary Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key. This exposes: - Database schema structure and field names - Index configurations and query optimization details - Query execution statistics and performance metrics - Potential attack vectors for database performance exploitation
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2025-64502
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2025-64502
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2025-64502
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7cx5-254x-cgrq
cvssv4 6.9 https://github.com/parse-community/parse-server
generic_textual MODERATE https://github.com/parse-community/parse-server
cvssv4 6.9 https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452
generic_textual MODERATE https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452
ssvc Track https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452
cvssv4 6.9 https://github.com/parse-community/parse-server/pull/9890
generic_textual MODERATE https://github.com/parse-community/parse-server/pull/9890
ssvc Track https://github.com/parse-community/parse-server/pull/9890
cvssv3.1_qr MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
cvssv4 6.9 https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
generic_textual MODERATE https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2025-64502
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-64502
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-64502
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452
https://github.com/parse-community/parse-server/pull/9890
CVE-2025-64502 https://nvd.nist.gov/vuln/detail/CVE-2025-64502
GHSA-7cx5-254x-cgrq https://github.com/advisories/GHSA-7cx5-254x-cgrq
GHSA-7cx5-254x-cgrq https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-12T17:36:05Z/ Found at https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/9890
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-12T17:36:05Z/ Found at https://github.com/parse-community/parse-server/pull/9890
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-12T17:36:05Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-64502
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.2704
EPSS Score 0.00098
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:48:28.110908+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2025-64502.yml 38.6.0