Impact
The flaw in Parse Server occurs when deeply nested $or, $and, and $nor query operators are processed by the REST API or LiveQuery handling. The internal query‑traversal helper can experience exponential‑time processing under these conditions, blocking the Node.js event loop and causing a denial of service. This vulnerability is classified as CWE‑407, an inefficient algorithmic complexity issue.
Affected Systems
The affected product is Parse Server, an open‑source Node.js backend maintained by the parse‑community. Versions prior to 9.9.1‑alpha.12 and 8.6.82 are vulnerable and require upgrading to at least those release points.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity. While EPSS data is unavailable, the lack of a KEV listing does not diminish the risk, because the vulnerability can be triggered remotely by sending a specially crafted query to an exposed REST or LiveQuery endpoint. The likely attack vector is initiating such a query over the network, thereby exhausting server resources through event-loop blocking.
OpenCVE Enrichment