Parse Server GraphQL Query Complexity Validator Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Parse Server versions prior to 8.6.68 and 9.7.0-alpha.12. The issue arises in the GraphQL query complexity validator, which can be exploited by sending a crafted query that uses binary fan-out fragment spreads. This exploitation can block the Node.js event loop for several seconds, disrupting service for all concurrent users. The vulnerability only affects deployments with the requestComplexity.graphQLDepth or requestComplexity.graphQLFields options enabled.

Impact

Exploitation of this vulnerability can lead to a significant denial-of-service, causing the Node.js event loop to hang for several seconds. This interruption in the event loop can disrupt the application's ability to handle concurrent requests, effectively slowing down or freezing the application for users.

Reproduction

The vulnerability can be reproduced by sending a GraphQL query that includes fragment spreads designed to double the complexity of the query processing. This can be done by creating a query with multiple fragments that spread into each other, exponentially increasing the number of field visits. The query should be crafted to exceed the default complexity limits, causing the server to hang as it processes the request.

Remediation

Users can upgrade to Parse Server versions 8.6.68 or 9.7.0-alpha.12 to address this vulnerability. Alternatively, the GraphQL complexity limits can be disabled by setting requestComplexity.graphQLDepth and requestComplexity.graphQLFields to -1, which is the default.