Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
Published: 2026-07-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Parse Server occurs when deeply nested $or, $and, and $nor query operators are processed by the REST API or LiveQuery handling. The internal query‑traversal helper can experience exponential‑time processing under these conditions, blocking the Node.js event loop and causing a denial of service. This vulnerability is classified as CWE‑407, an inefficient algorithmic complexity issue.

Affected Systems

The affected product is Parse Server, an open‑source Node.js backend maintained by the parse‑community. Versions prior to 9.9.1‑alpha.12 and 8.6.82 are vulnerable and require upgrading to at least those release points.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. While EPSS data is unavailable, the lack of a KEV listing does not diminish the risk, because the vulnerability can be triggered remotely by sending a specially crafted query to an exposed REST or LiveQuery endpoint. The likely attack vector is initiating such a query over the network, thereby exhausting server resources through event-loop blocking.

Generated by OpenCVE AI on July 9, 2026 at 09:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Parse Server v9.9.1‑alpha.12 or v8.6.82 or later to remove the flaw.
  • Implement validation to reject or limit queries with $or, $and, or $nor operators nested beyond an allowed depth.
  • Enable monitoring of Node.js event-loop latency and set alerts for prolonged blocking to detect potential denial-of-service attacks.

Generated by OpenCVE AI on July 9, 2026 at 09:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
Title Parse Server: Denial of service via exponential-time processing of deeply nested query operators
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T20:53:21.307Z

Reserved: 2026-06-24T14:53:40.110Z

Link: CVE-2026-57480

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T09:15:05Z

Weaknesses
  • CWE-407

    Inefficient Algorithmic Complexity