CVE-2026-34573

EPSS 0.46%
Veröffentlicht 31.03.2026 15:06:33
Zuletzt bearbeitet 02.04.2026 17:31:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 13 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.68

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.7.0

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha11 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.365

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-407 Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c

Patch

Vendor Advisory

https://github.com/parse-community/parse-server/pull/10344

Patch

Issue Tracking

https://github.com/parse-community/parse-server/pull/10345

Patch

Issue Tracking

https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295

Patch

https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-34573

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34573

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34573

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34573