Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
Published: 2026-03-31
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Parse Server’s GraphQL query complexity validator can be abused to provoke a denial‑of‑service when it receives a crafted query that contains binary fan‑out fragment spreads. Executing such a query blocks the Node.js event loop for several seconds, blocking all users of the backend. The flaw originates in the complexity calculation logic and is classified as a denial‑of‑service flaw.

Affected Systems

Parse Server deployments built from the open‑source Parse Server project that run on Node.js are affected. Versions earlier than 8.6.68 and 9.7.0‑alpha.12 are vulnerable. Only installations that enable the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options are susceptible.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.2, indicating a high severity level, while the EPSS score of less than 1 % suggests a low probability of exploitation. It is not listed in the CISA KEV catalog. An unauthenticated client can trigger the DoS by submitting a specially crafted GraphQL request to the exposed GraphQL endpoint; no authentication or privileged access is required. Once triggered, the event loop is forced to process an exponential number of fragment spreads, resulting in a temporary service outage for all users.

Generated by OpenCVE AI on April 2, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to at least version 8.6.68 or 9.7.0‑alpha.12 or later
  • If an upgrade is not immediately possible, disable the requestComplexity.graphQLDepth and requestComplexity.graphQLFields settings or reduce their permissible values to limit query complexity
  • Monitor the GraphQL endpoint for unusually large or complex queries that could indicate an attempted exploitation
  • Verify the patched version is running by checking the application version at startup or via API
  • Review firewall or API gateway rules to restrict access to the GraphQL endpoint to trusted IP ranges only

Generated by OpenCVE AI on April 2, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mfj6-6p54-m98c parse-server has GraphQL complexity validator exponential fragment traversal DoS
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
Title Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:52:50.211Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34573

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:21.036Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:33.737

Modified: 2026-04-02T17:31:49.910

Link: CVE-2026-34573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:26Z

Weaknesses