Resource exhaustion in Parse-community Parse-server

CVE-2026-33538

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (34.0th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.58, >= 9.0.0, < 9.6.0-alpha.52

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10270 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10271 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54 (x_refsource_MISC)