Parse Server Denial-of-Service Vulnerability via Unbounded Query Complexity in REST and GraphQL APIs

A denial-of-service vulnerability has been identified in Parse Server versions prior to 9.5.2-alpha.2 and 8.6.15. This issue allows an unauthenticated attacker to exhaust server resources such as CPU, memory, and database connections. The vulnerability arises from the absence of complexity limits in the REST and GraphQL APIs, enabling crafted queries to overload the server. All deployments of Parse Server using these APIs are affected.

Impact

Exploitation of this vulnerability leads to a significant denial-of-service condition, causing high resource exhaustion on the server.

Remediation

The vulnerability is fixed in Parse Server versions 9.5.2-alpha.2 and 8.6.15. Users can update to these versions to address the issue. Additionally, for those using Parse Server 9, the `requestComplexity` server option can be configured to set complexity limits for queries, which helps mitigate the vulnerability. If the server options are not set, their default values will apply to fix the vulnerability.