Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
- Severity:
- High
Description
An unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs.
All Parse Server deployments using the REST or GraphQL API are affected.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0, < 9.5.2-alpha.2 < 8.6.15** Patched version(s): **9.5.2-alpha.2 8.6.15**
References
Related Issues
- Parse Server: Denial of Service via unindexed database query for unconfigured auth providers - CVE-2026-33538
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Parse Server has a protected fields bypass via logical query operators - CVE-2026-30962
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 16, 2026