Primary

Context

Parse Server Denial-of-Service Vulnerability via Deeply Nested Query Operators

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Parse Server versions 9.0.0 prior to 9.6.0-alpha.21 and in versions prior to 8.6.45. The issue allows an unauthenticated attacker to crash the Parse Server process by sending a request with deeply nested query condition operators. This action terminates the server process, causing a service disruption for all connected clients.

Impact

Exploitation of this vulnerability leads to a server crash, causing a denial-of-service condition for all connected clients.

Remediation

To address this vulnerability, users should upgrade to Parse Server versions 9.6.0-alpha.21 or 8.6.45. After upgrading, the `requestComplexity.queryDepth` server option should be enabled and set to a value appropriate for the application.

Added: Mar 18, 2026, 10:22 PM

Updated: Mar 18, 2026, 10:22 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.3

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.3

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server Denial-of-Service Vulnerability via Deeply Nested Query Operators

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating