CVE-2026-34573 Overview
Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, contains a denial-of-service vulnerability in its GraphQL query complexity validator. Prior to versions 8.6.68 and 9.7.0-alpha.12, the complexity validator can be exploited by sending crafted queries with binary fan-out fragment spreads. This algorithmic complexity attack allows a single unauthenticated request to block the Node.js event loop for seconds, effectively denying service to all concurrent users.
Critical Impact
A single unauthenticated attacker can cause complete service disruption for all Parse Server users by exploiting exponential fragment traversal in the GraphQL complexity validator.
Affected Products
- Parse Server versions prior to 8.6.68
- Parse Server versions 9.7.0-alpha1 through 9.7.0-alpha11
- Deployments with requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options enabled
Discovery Timeline
- March 31, 2026 - CVE-2026-34573 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34573
Vulnerability Analysis
This vulnerability is classified under CWE-407 (Inefficient Algorithmic Complexity). The GraphQL complexity validator in Parse Server fails to properly handle binary fan-out fragment spreads, leading to exponential traversal behavior. When processing nested fragment references, the validator traverses fragments without caching results, causing the computational cost to grow exponentially with query depth.
The attack is particularly severe because it requires no authentication and operates at the application layer. A malicious actor can craft a GraphQL query that appears relatively simple but triggers an exponential number of operations during complexity validation. This blocks the single-threaded Node.js event loop, preventing the server from processing any other requests during the attack.
The vulnerability specifically affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options, as these trigger the vulnerable validation code path.
Root Cause
The root cause lies in the calculateQueryComplexity function in src/GraphQL/helpers/queryComplexity.js. The original implementation recursively traverses fragment spreads without caching the results of previously computed fragments. When a query contains fragments that reference other fragments in a fan-out pattern, each fragment is re-evaluated multiple times, leading to exponential time complexity.
Attack Vector
The attack is network-accessible and requires no authentication. An attacker constructs a GraphQL query containing multiple nested fragment spreads that create exponential traversal paths. The query complexity validator attempts to calculate the total complexity before execution, but the exponential fragment resolution consumes CPU resources and blocks the event loop. Since Node.js is single-threaded, this prevents all other request processing until the computation completes.
// Security patch from src/GraphQL/helpers/queryComplexity.js
// Source: https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
import { GraphQLError } from 'graphql';
import logger from '../../logger';
-function calculateQueryComplexity(operation, fragments) {
+function calculateQueryComplexity(operation, fragments, limits = {}) {
let maxDepth = 0;
let totalFields = 0;
+ const fragmentCache = new Map();
+ const { maxDepth: allowedMaxDepth, maxFields: allowedMaxFields } = limits;
function visitSelectionSet(selectionSet, depth, visitedFragments) {
if (!selectionSet) {
return;
}
+ if (
+ (allowedMaxFields !== undefined && allowedMaxFields !== -1 && totalFields > allowedMaxFields) ||
+ (allowedMaxDepth !== undefined && allowedMaxDepth !== -1 && maxDepth > allowedMaxDepth)
+ ) {
+ return;
+ }
for (const selection of selectionSet.selections) {
if (selection.kind === 'Field') {
totalFields++;
The patch introduces a fragmentCache Map to store computed fragment complexity results, preventing redundant traversals. Additionally, it adds early termination checks that stop traversal once configured limits are exceeded, preventing unbounded computation.
Detection Methods for CVE-2026-34573
Indicators of Compromise
- Abnormally high CPU utilization on Parse Server instances without corresponding increase in legitimate traffic
- GraphQL endpoint response times increasing dramatically or timing out
- Server logs showing extended request processing times for GraphQL queries
- Event loop lag metrics spiking on Node.js monitoring dashboards
Detection Strategies
- Monitor GraphQL query complexity and depth at the application firewall or API gateway level
- Implement request timeout monitoring that alerts on queries exceeding expected processing times
- Deploy application performance monitoring (APM) to detect Node.js event loop blocking events
- Analyze incoming GraphQL queries for unusual fragment nesting patterns or repeated fragment references
Monitoring Recommendations
- Configure alerting for CPU utilization spikes exceeding baseline thresholds on Parse Server hosts
- Implement rate limiting on GraphQL endpoints to prevent rapid-fire attack attempts
- Enable detailed request logging for GraphQL operations to support forensic analysis
- Monitor for patterns of queries with excessive fragment definitions relative to actual data requested
How to Mitigate CVE-2026-34573
Immediate Actions Required
- Upgrade Parse Server to version 8.6.68 or later for stable branch deployments
- Upgrade Parse Server to version 9.7.0-alpha.12 or later for alpha branch deployments
- Temporarily disable the requestComplexity.graphQLDepth and requestComplexity.graphQLFields configuration options if upgrade cannot be performed immediately
- Implement network-level rate limiting on GraphQL endpoints as an additional defense layer
Patch Information
Parseplatform has released security patches addressing this vulnerability. The fixes are available in versions 8.6.68 and 9.7.0-alpha.12. The patches introduce fragment caching to prevent exponential traversal and add early termination when configured complexity limits are exceeded. For detailed patch information, see GitHub Pull Request #10344, GitHub Pull Request #10345, and the GitHub Security Advisory GHSA-mfj6-6p54-m98c.
Workarounds
- Disable GraphQL complexity validation by removing requestComplexity.graphQLDepth and requestComplexity.graphQLFields from your Parse Server configuration until patched versions can be deployed
- Deploy a reverse proxy or WAF with GraphQL query inspection capabilities to filter potentially malicious queries
- Implement application-level timeouts that terminate long-running GraphQL validation processes
# Configuration example - Disable complexity validation temporarily
# In your Parse Server initialization, remove or comment out these options:
# parseServerOptions = {
# // TEMPORARILY DISABLED - CVE-2026-34573
# // requestComplexity: {
# // graphQLDepth: 10,
# // graphQLFields: 100
# // }
# }
# After upgrading to 8.6.68+ or 9.7.0-alpha.12+, re-enable with:
parseServerOptions = {
requestComplexity: {
graphQLDepth: 10,
graphQLFields: 100
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
