Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server’s request parser performs a regular‑expression match on the client SDK version supplied in a header before authenticating the request. An attacker who knows a public Parse Application ID can supply an adversarial value that triggers deep backtracking, causing the parser to consume a large amount of CPU time. This leads to a denial of service by exhausting the Node.js worker that processes the request, with the effect that legitimate traffic is delayed or blocked while the worker remains tied up. The weakness is a classic regex‑exponential‑backtracking flaw (CWE‑1333).

Affected Systems

The vulnerability affects the open‑source Parse Server (parse-community:parse-server) prior to version 8.6.77 and the 9.9.1‑alpha.1 release or earlier. Production deployments that rely on the default configuration are included. Upgrading to 8.6.77, 9.9.1‑alpha.1, or later versions resolves the problem.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is considered high severity. The EPSS score is less than 1%, indicating a low probability of widespread exploitation at the current moment, and the vulnerability is not listed in CISA’s KEV catalog. However, the attack requires no credentials and only a known public Application ID, which is typically publicly available. Anyone able to send crafted requests to any /parse/* endpoint can trigger the CPU exhaustion, and a small number of concurrent requests can saturate a worker. Because the vulnerable code path executes before authentication and before rate limiting, the attacker can observe the effect immediately and launch repetitive attacks without needing to bypass any protections.

Generated by OpenCVE AI on June 12, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Parse Server to version 8.6.77 or newer, or to 9.9.1‑alpha.1 or a later release that contains the fix.
  • If an upgrade is not immediately possible, implement network‑level throttling or mandatory IP allowlisting so that only trusted IPs can send requests to /parse/* endpoints, effectively limiting the number of potential back‑tracking requests.
  • Add a reverse‑proxy or Web Application Firewall rule to detect and block maliciously crafted Client SDK Version header values, preventing the regex engine from exhausting the Node.js worker.

Generated by OpenCVE AI on June 12, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-38m6-82c8-4xfm Parse Server: Pre-authentication denial of service via client version header regex backtracking
History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
Title Parse Server: Pre-authentication denial of service via client version header regex backtracking
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:56:14.419Z

Reserved: 2026-05-18T19:50:18.696Z

Link: CVE-2026-47138

cve-icon Vulnrichment

Updated: 2026-06-12T18:56:11.468Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:28.257

Modified: 2026-06-12T19:16:28.257

Link: CVE-2026-47138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity