Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg
Release Notes x_refsource_misc
https://github.com/parse-community/parse-server/releases/tag/8.6.15
Release Notes x_refsource_misc
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2
Scores
CVSS v3
7.5
EPSS
0.0056
EPSS Percentile
42.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (3)
npm/parse-server
0 - 8.6.15npm
parseplatform/parse-server
9.5.2 alpha1
parseplatform/parse-server
< 8.6.15
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026