CVE-2026-34573

HIGH EPSS 36.8%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
8.2 CVSS 4.0
High
Find Similar
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.

CVSS Details

Base Score
8.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
36.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-407

Affected Products 13

VendorProductVersionRange
parseplatformparse-server* <8.6.68
parseplatformparse-server*≥9.0.0  –  <9.7.0
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any
parseplatformparse-server9.7.0any

References 5

  • github.com https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10344
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10345
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
    PatchVendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10344
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10345
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
    PatchVendor Advisory