Vulnerability in Parse-community Parse-server

CVE-2026-34573

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by se…

EPSS: 0.000 (4.9th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.68, >= 9.0.0, < 9.7.0-alpha.12

Weakness classification (CWE)

CWE-407 — Inefficient Algorithmic Complexity

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10344 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10345 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b (x_refsource_MISC)