parse-server has GraphQL complexity validator exponential fragment traversal DoS

Description

The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.68

  >= 9.0.0, < 9.7.0-alpha.12**

• Patched version(s): **8.6.68

  9.7.0-alpha.12**

References

• GHSA-mfj6-6p54-m98c
• CVE-2026-34573
• CWE-407
• CAPEC-310
• OWASP 2021-A6

Related Issues

• parse-server has cloud function validator bypass via prototype chain traversal - CVE-2026-34532
• Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
• Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
• Parse Server has an MFA single-use token bypass via concurrent authData login requests - CVE-2026-34224

You might also like:

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

parse-server