CVE-2026-47138: Parse Server DoS Vulnerability

CVE-2026-47138 Overview

CVE-2026-47138 is a Regular Expression Denial of Service (ReDoS) vulnerability in Parse Server, an open source backend that runs on Node.js. The flaw exists in a request-header parser that processes the client SDK version field before authentication or rate limiting executes. An unauthenticated attacker who knows a publicly-known Parse Application ID can submit crafted input that triggers polynomial backtracking. A single request can pin a Node.js worker for seconds to minutes of synchronous CPU. Production deployments running default configurations are affected. The issue is patched in versions 8.6.77 and 9.9.1-alpha.1.

Critical Impact
A small number of concurrent requests can saturate Parse Server workers, while a single large body-field request can pin a worker for minutes, leading to service unavailability.

Affected Products

Parse Server versions prior to 8.6.77
Parse Server versions prior to 9.9.1-alpha.1
Node.js deployments running Parse Server with default configuration

Discovery Timeline

2026-06-12 - CVE-2026-47138 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-47138

Vulnerability Analysis

The vulnerability is classified under CWE-1333, Inefficient Regular Expression Complexity. Parse Server parses the client SDK version field on every /parse/* request using a regular expression that exhibits polynomial backtracking when fed adversarial input. The parsing executes before session authentication and before rate limiting, meaning any unauthenticated client can invoke the expensive code path. Because Node.js executes JavaScript on a single thread per worker, a stalled regex blocks all other requests routed to that worker. The EPSS score is 0.907% with a percentile of 55.202.

Root Cause

The root cause is a regular expression with catastrophic backtracking properties applied to attacker-controlled header content. The parser inspects the X-Parse-Client-Version header (and a related body field) without complexity bounds or input length limits. When the input contains repeating patterns that match ambiguous regex alternatives, the engine explores an exponentially large number of match paths. CPU time grows polynomially with input length, allowing a single request to consume sustained CPU.

Attack Vector

The attack vector is network-based and requires no authentication. An attacker only needs the publicly known Parse Application ID associated with a target deployment. The attacker sends an HTTP request to any /parse/* endpoint with a malicious SDK version string in the header or body. The parser runs synchronously before access control, so the request consumes CPU regardless of whether the application accepts the request. A small volume of concurrent requests saturates all workers, producing a denial-of-service condition.

No verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-38m6-82c8-4xfm for additional technical detail.

Detection Methods for CVE-2026-47138

Indicators of Compromise

Sustained high CPU utilization on Node.js worker processes hosting Parse Server with no corresponding spike in application throughput
HTTP requests to /parse/* endpoints containing unusually long or repetitive values in the X-Parse-Client-Version header or body field
Increased response latency and request timeouts on Parse Server endpoints from unauthenticated sources

Detection Strategies

Inspect web server and reverse proxy logs for /parse/* requests with header or body values exceeding expected SDK version string length
Correlate process CPU spikes with inbound request timing to identify single requests that consume disproportionate worker time
Alert on repeated requests from the same source containing identical or pattern-matched long SDK version strings

Monitoring Recommendations

Monitor event loop lag and per-worker CPU saturation metrics on Node.js processes running Parse Server
Track request duration percentiles at the load balancer and alert when p99 latency on /parse/* exceeds baseline
Capture and retain HTTP request headers for /parse/* traffic to enable retrospective hunting against adversarial input patterns

How to Mitigate CVE-2026-47138

Immediate Actions Required

Upgrade Parse Server to version 8.6.77 or 9.9.1-alpha.1 as soon as possible
Place a reverse proxy or web application firewall in front of Parse Server to enforce maximum header and body size limits on /parse/* endpoints
Rotate or restrict access to the Parse Application ID where feasible, recognizing that Application IDs are not a security boundary

Patch Information

The Parse Server maintainers released fixes in versions 8.6.77 and 9.9.1-alpha.1. The patches replace the vulnerable parsing logic with a bounded implementation that prevents polynomial backtracking. Review the changes in GitHub Pull Request #10463 and GitHub Pull Request #10464 before deployment.

Workarounds

Enforce strict length limits on inbound HTTP headers and request bodies at the proxy layer, rejecting X-Parse-Client-Version values longer than expected SDK identifiers
Apply pre-authentication rate limiting at the edge for /parse/* routes to constrain the volume of CPU-expensive parsing per source
Run Parse Server behind a load balancer with worker health checks that recycle stalled processes

bash

# Example nginx configuration to bound request size and limit /parse/* request rate
limit_req_zone $binary_remote_addr zone=parse_zone:10m rate=10r/s;

server {
    large_client_header_buffers 4 4k;
    client_max_body_size 256k;

    location /parse/ {
        limit_req zone=parse_zone burst=20 nodelay;
        proxy_pass http://parse_backend;
    }
}