Impact
When the GraphQL API is mounted with public introspection disabled (graphQLPublicIntrospection: false, the default), Parse Server returned GraphQL validation error messages that named required custom input fields the caller had not supplied. A client holding only the public application id — with no user session, master key, or maintenance key — could therefore learn the names of required fields on classes it references, partially defeating the schema-hiding intent of disabling public introspection.
The disclosure is limited to the names of required (non-null) custom fields, and only on classes the caller already references by name. No stored data, credentials, or other schema information (optional field names, class names the caller has not referenced, Cloud Code function names) is exposed through this issue.
Patches
Parse Server now redacts the schema identifiers from the affected GraphQL validation error messages for callers that are not permitted to introspect the schema (that is, non-master and non-maintenance callers) when public introspection is disabled. The messages are preserved unchanged for master-key and maintenance-key callers and for deployments that enable public introspection, so legitimate debugging feedback is retained where schema visibility is already permitted.
Workarounds
There is no configuration option that fully prevents the disclosure without upgrading; upgrading to a patched version is the recommended remediation. Operators who cannot upgrade immediately can restrict access to the GraphQL endpoint (for example, to trusted networks or authenticated clients) to limit exposure.
References
Impact
When the GraphQL API is mounted with public introspection disabled (
graphQLPublicIntrospection: false, the default), Parse Server returned GraphQL validation error messages that named required custom input fields the caller had not supplied. A client holding only the public application id — with no user session, master key, or maintenance key — could therefore learn the names of required fields on classes it references, partially defeating the schema-hiding intent of disabling public introspection.The disclosure is limited to the names of required (non-null) custom fields, and only on classes the caller already references by name. No stored data, credentials, or other schema information (optional field names, class names the caller has not referenced, Cloud Code function names) is exposed through this issue.
Patches
Parse Server now redacts the schema identifiers from the affected GraphQL validation error messages for callers that are not permitted to introspect the schema (that is, non-master and non-maintenance callers) when public introspection is disabled. The messages are preserved unchanged for master-key and maintenance-key callers and for deployments that enable public introspection, so legitimate debugging feedback is retained where schema visibility is already permitted.
Workarounds
There is no configuration option that fully prevents the disclosure without upgrading; upgrading to a patched version is the recommended remediation. Operators who cannot upgrade immediately can restrict access to the GraphQL endpoint (for example, to trusted networks or authenticated clients) to limit exposure.
References