GHSA-q5q9-2rhp-33qw
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Details
### Impact
When `graphQLPublicIntrospection` is disabled, `__type` queries nested inside inline fragments (e.g. `... on Query { __type(name:"User") { name } })` bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. `__schema` introspection is not affected.
### Patches
The check was changed from a flat iteration over root-level selections to a recursive walk of all selection sets, detecting `__type` inside inline fragments at any depth.
### Workarounds
Require master key authentication at the network layer (e.g. reverse proxy) for the GraphQL endpoint.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q5q9-2rhp-33qw - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.10
Are you affected?
Enter the version of the package you're using.
Affected packages
9.3.1-alpha.3 Fixed in: 9.5.0-alpha.10 npm install parse-server@9.5.0-alpha.10