GHSA-q5q9-2rhp-33qw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q5q9-2rhp-33qw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q5q9-2rhp-33qw/GHSA-q5q9-2rhp-33qw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q5q9-2rhp-33qw
- Aliases
- Published
- 2026-03-09T17:42:17Z
- Modified
- 2026-03-16T03:05:24.173690Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
- Details
-
Impact
When
graphQLPublicIntrospectionis disabled,__typequeries nested inside inline fragments (e.g.... on Query { __type(name:"User") { name } })bypass the introspection control, allowing unauthenticated users to perform type reconnaissance.__schemaintrospection is not affected.Patches
The check was changed from a flat iteration over root-level selections to a recursive walk of all selection sets, detecting
__typeinside inline fragments at any depth.Workarounds
Require master key authentication at the network layer (e.g. reverse proxy) for the GraphQL endpoint.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.10
- Database specific
{ "cwe_ids": [ "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2026-03-09T17:42:17Z", "nvd_published_at": "2026-03-07T17:15:52Z", "severity": "MODERATE" }- References
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server