Parse Server Denial-of-Service Vulnerability via Deeply Nested Queries

A denial-of-service vulnerability has been identified in Parse Server, an open-source backend framework that runs on Node.js. This issue affects versions prior to 8.6.55 and 9.6.0-alpha.44. The vulnerability allows an attacker to send an unauthenticated HTTP request with a deeply nested query that includes logical operators. This query can cause the Parse Server process to hang indefinitely, rendering the server unresponsive and requiring a manual restart. Notably, this vulnerability bypasses a previous fix implemented for CVE-2026-32944.

Impact

Exploitation of this vulnerability causes the Parse Server process to hang permanently, leading to a complete loss of server responsiveness. As a result, the server must be manually restarted to restore functionality.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP request to a Parse Server instance running a vulnerable version. Include a deeply nested query with logical operators, such as '$and' or '$or', that exceeds the server's maximum query depth limit. The request can be made through the REST API by specifying the 'where' parameter with a JSON string that represents the nested query structure. Once the server processes the request, it will become unresponsive and require a manual restart.

Remediation

Users can upgrade to Parse Server versions 8.6.55 or 9.6.0-alpha.44, both of which include the necessary patch. Instructions for upgrading can be found in the Parse Server documentation.