QSearchQSearch

CVE-2026-47138

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CWE
CWE-1333

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-44496 Axios is a promise based HTTP client for the browser and Node.js (7.5 HIGH)
  • CVE-2026-42567 Svelte is a performance oriented web framework (7.5 HIGH)
  • CVE-2026-41848 Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which... (3.7 LOW)
  • CVE-2026-52778 YesWiki is a wiki system written in PHP (9.8 CRITICAL)
  • CVE-2026-11478 A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb (3.3 LOW)