Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Patch Immediately
AI Analysis

Impact

Parse Server provides open‑source backend functionality through REST and GraphQL APIs. An unauthenticated attacker can send crafted queries that trigger unbounded query complexity, causing the server to consume excessive CPU, memory and database connections. This results in application slowdown or crash, effectively denying legitimate users access. The weakness is identified as unchecked resource consumption (CWE‑770).

Affected Systems

All installations of Parse Server running any version prior to 9.5.2‑alpha.2 or 8.6.15 are affected, regardless of deployment environment as long as the REST or GraphQL API is enabled. The vulnerability applies to any infrastructure capable of executing the server under Node.js.

Risk and Exploitability

The vulnerability has a high CVSS score of 8.7, indicating significant impact. The EPSS score is below 1%, suggesting a low probability of exploitation at present, and it is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated attacker sending crafted API requests that probe the lack of query complexity limits.

Generated by OpenCVE AI on April 16, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.2‑alpha.2 or 8.6.15, where the query complexity limits are enforced.
  • If an immediate upgrade is not possible, restrict access to the REST and GraphQL APIs to trusted networks or firewall rules to limit exposure to potential attackers.
  • Implement monitoring on CPU, memory and database connections to detect sudden spikes that may indicate an attack, and apply rate limiting or query length constraints as an interim defensive measure.

Generated by OpenCVE AI on April 16, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cmj3-wx7h-ffvg Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
History

Wed, 11 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
Title Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:29:32.830Z

Reserved: 2026-03-07T17:34:39.979Z

Link: CVE-2026-30946

cve-icon Vulnrichment

Updated: 2026-03-11T15:29:21.907Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:47.333

Modified: 2026-03-11T17:16:26.967

Link: CVE-2026-30946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses