Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
Published: 2026-03-31
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to send a specially crafted GraphQL query that triggers an exponential traversal of fragment spreads in the complexity validator. This leads to prolonged blocking of the Node.js event loop, causing a denial‑of‑service for all users on the affected server. The weakness is a form of excessive resource consumption, identified as CWE‑407.

Affected Systems

The issue affects deployments of parse‑community's Parse Server running on Node.js that have the requestComplexity.graphQLDepth or requestComplexity.graphQLFields options enabled. Versions prior to 8.6.68 on the stable branch and before 9.7.0‑alpha.12 on the development branch are impacted. Upgrading to the patched releases removes the vulnerability.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, with a single unauthenticated request capable of shutting down service for seconds. EPSS data is unavailable, but because the flaw requires only a crafted payload over the public GraphQL endpoint, the likelihood of exploitation is significant. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but any exposed Parse Server instance that has the complexity validator enabled is at risk for denial of service.

Generated by OpenCVE AI on March 31, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.68 or later (or 9.7.0-alpha.12 or later) to apply the fix.
  • If an immediate upgrade is not possible, disable the requestComplexity.graphQLDepth and requestComplexity.graphQLFields settings to prevent the vulnerability from being triggered.
  • Verify that the configuration changes persist after deployment and that no malicious queries are processed.
  • Monitor the application for abnormal CPU usage or event‑loop blocking events to detect any attempts to exploit the remaining risk before a patch is applied.

Generated by OpenCVE AI on March 31, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mfj6-6p54-m98c parse-server has GraphQL complexity validator exponential fragment traversal DoS
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
Title Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:52:50.211Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34573

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:21.036Z

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:33.737

Modified: 2026-03-31T16:16:33.737

Link: CVE-2026-34573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:11Z

Weaknesses