Parse Server Allowing Public Explain Queries Vulnerability

A vulnerability exists in Parse Server versions prior to 8.5.0-alpha.5, allowing any client to execute MongoDB explain queries without a master key. This could expose sensitive database information such as schema details, index configurations, query performance metrics, and potential exploitation vectors. The issue has been addressed in version 8.5.0-alpha.5 by introducing a database option, allowPublicExplain, which controls the availability of explain queries without a master key. The option defaults to true, to prevent breaking changes for production systems, and will be deprecated in a future major release.

Impact

The vulnerability could lead to unauthorized access to sensitive database performance data and schema details, which could be exploited for malicious purposes.

Reproduction

To reproduce this vulnerability, configure a Parse Server instance running a version prior to 8.5.0-alpha.5. Without the master key, send a request that includes an explain query. The server will process the request and return the explain data, demonstrating that the query was executed without the required authorization.

Remediation

Users can update to Parse Server version 8.5.0-alpha.5 or later, where this vulnerability has been patched. Additionally, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments.