Parse Server is an open-source backend framework that runs on Node.js and supports GraphQL APIs. In versions 9.3.1-alpha.3 through 9.5.0-alpha.9, a security flaw exists related to the authorization checks on GraphQL introspection queries when the graphQLPublicIntrospection setting is disabled. Specifically, while __schema introspection queries are properly blocked, __type queries embedded within inline fragments (e.g., ... on Query { __type(name:"User") { name } }) bypass the intended restrictions. This occurs because the authorization logic does not correctly inspect nested inline fragments, allowing unauthenticated users to perform type reconnaissance by querying type information about the GraphQL schema. This reconnaissance can reveal internal type names and structures, potentially aiding attackers in crafting more targeted attacks or discovering sensitive schema details. The vulnerability is classified under CWE-863 (Incorrect Authorization). It requires no privileges or user interaction to exploit and is remotely exploitable over the network. The issue was addressed and patched in parse-server version 9.5.0-alpha.10 by correcting the authorization checks to properly handle nested inline fragments in GraphQL queries.

The primary impact of this vulnerability is unauthorized disclosure of GraphQL type information through bypassed introspection controls. While it does not directly allow data modification or access to actual user data, the ability to perform type reconnaissance can significantly aid attackers in understanding the backend schema, which is often a critical step in planning further attacks such as injection, privilege escalation, or data exfiltration. Organizations relying on parse-server for backend services may inadvertently expose sensitive schema details to unauthenticated users, increasing their attack surface. This is particularly concerning for applications with sensitive or proprietary data models. The vulnerability's ease of exploitation (no authentication or user interaction required) and network accessibility increase the risk. Although no active exploits are currently known, the medium severity rating reflects the potential for attackers to leverage this information in multi-stage attacks.

To mitigate this vulnerability, organizations should upgrade parse-server to version 9.5.0-alpha.10 or later, where the authorization bypass is fixed. If immediate upgrading is not feasible, as a temporary measure, administrators should carefully review and restrict GraphQL endpoint access, possibly by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. Additionally, monitoring GraphQL query logs for unusual or nested __type introspection queries can help detect exploitation attempts. Developers should also audit custom GraphQL resolvers and authorization logic to ensure no similar bypasses exist. Employing Web Application Firewalls (WAFs) with rules to detect and block suspicious GraphQL introspection patterns may provide additional protection. Finally, educating development and security teams about the risks of improper GraphQL introspection controls can prevent similar issues in future deployments.