Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57480

CVE-2026-57480: Parse Server DOS Vulnerability

CVE-2026-57480 is a denial of service vulnerability in Parse Server caused by deeply nested query operators that block the Node.js event loop. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-57480 Overview

Parse Server is an open source backend that runs on Node.js and exposes a REST API and LiveQuery interface for mobile and web applications. CVE-2026-57480 is a denial-of-service vulnerability [CWE-407] affecting versions prior to 9.9.1-alpha.12 and 8.6.82. Deeply nested $or, $and, and $nor query condition operators trigger exponential-time processing in the internal query-traversal helper. The recursive traversal blocks the Node.js event loop, stalling the entire server process. An unauthenticated attacker can submit a crafted query over the network to exhaust CPU resources on the Parse Server instance.

Critical Impact

Unauthenticated network attackers can stall Parse Server's Node.js event loop with a single crafted REST or LiveQuery request, halting request handling for all connected clients.

Affected Products

  • Parse Server versions prior to 8.6.82 (8.x branch)
  • Parse Server versions prior to 9.9.1-alpha.12 (9.x branch)
  • Applications exposing the Parse Server REST API or LiveQuery endpoints

Discovery Timeline

  • 2026-07-08 - CVE-2026-57480 published to NVD
  • 2026-07-08 - Last updated in NVD database
  • Fix released - Parse Server versions 8.6.82 and 9.9.1-alpha.12 published on GitHub

Technical Details for CVE-2026-57480

Vulnerability Analysis

The vulnerability is an algorithmic complexity flaw in Parse Server's query depth validator. The checkDepth helper in src/RestQuery.js and src/LiveQuery/ParseLiveQueryServer.ts was designed to enforce a queryDepth limit against nested logical operators. The original implementation only recursed when it directly encountered $or, $and, or $nor keys at the current object level. Attackers can wrap logical operators inside other query constructs such as $elemMatch, $not, or plain field selectors so the depth check misses them. Because the true query engine still evaluates every branch, deeply nested logical trees produce exponential traversal work. The synchronous recursion consumes the single Node.js thread and blocks the event loop.

Root Cause

The root cause is incomplete recursive descent in the query complexity validator. The pre-patch checkDepth function inspected only the reserved operator keys at each node and returned without descending into other object values. Nested logical operators hidden beneath field-level operators bypassed the depth counter entirely. The fix rewrites checkDepth to descend into every value of every object and array, incrementing depth only for logical operators so the documented queryDepth semantics remain intact.

Attack Vector

The attack is remote and unauthenticated over the network. An attacker sends a single HTTP POST to any Parse Server REST endpoint that accepts a where clause, or opens a LiveQuery WebSocket subscription with a similar payload. The malicious where clause embeds logical operators inside field operators to bypass depth validation while still forcing exponential traversal during query processing.

javascript
// Security patch in src/RestQuery.js
// fix: Denial of service via exponential-time processing of deeply nested query op
    return;
  }
  const maxDepth = rc.queryDepth;
-  const checkDepth = (where, depth) => {
+  const checkDepth = (node, depth) => {
    if (depth > maxDepth) {
      throw new Parse.Error(
        Parse.Error.INVALID_QUERY,
        `Query condition nesting depth exceeds maximum allowed depth of ${maxDepth}`
      );
    }
-    if (typeof where !== 'object' || where === null) {
+    if (node === null || typeof node !== 'object') {
      return;
    }
-    for (const op of ['$or', '$and', '$nor']) {
-      if (Array.isArray(where[op])) {
-        for (const subQuery of where[op]) {
-          checkDepth(subQuery, depth + 1);
-        }
+    if (Array.isArray(node)) {
+      for (const item of node) {
+        checkDepth(item, depth);
      }
+      return;
+    }
+    // Descend into every value so that logical operators ($or/$and/$nor) nested
+    // under field-level operators (e.g. $elemMatch, $not) or plain field names are
+    // still counted. Only logical operators increase the depth, which preserves the
+    // documented meaning of `queryDepth`.
// Source: https://github.com/parse-community/parse-server/commit/0f5d2ad77b422dc904458254548be87397fc6e9b

Detection Methods for CVE-2026-57480

Indicators of Compromise

  • Parse Server REST API requests containing deeply nested $or, $and, or $nor operators within $elemMatch, $not, or field-level clauses
  • LiveQuery subscription payloads with unusually large or recursive where structures
  • Node.js process at sustained 100% CPU with unresponsive HTTP endpoints and no corresponding traffic spike
  • Elevated request latency and event-loop lag metrics on the Parse Server host

Detection Strategies

  • Inspect inbound POST /parse/classes/* and POST /parse/functions/* bodies for high nesting counts of logical operators, especially wrapped inside field operators.
  • Use a reverse proxy or API gateway to parse and count $or, $and, and $nor occurrences before the request reaches Parse Server.
  • Correlate spikes in Node.js event-loop lag with recent large where payloads captured by application logging.

Monitoring Recommendations

  • Forward Parse Server access logs and Node.js runtime metrics into a centralized analytics platform such as Singularity Data Lake for correlation and long-term retention.
  • Alert on Parse.Error.INVALID_QUERY events referencing Query condition nesting depth exceeds maximum allowed depth, which indicate the patched check is rejecting suspicious traffic.
  • Track CPU saturation and request queue depth per Parse Server pod or process, and page on sustained event-loop stalls above 500ms.

How to Mitigate CVE-2026-57480

Immediate Actions Required

  • Upgrade Parse Server to version 8.6.82 on the 8.x branch or 9.9.1-alpha.12 on the 9.x branch.
  • Set requestComplexity.queryDepth in the Parse Server configuration to a low value such as 3 to 5.
  • Place a rate-limiter and request-size cap in front of the Parse Server REST and LiveQuery endpoints.
  • Restrict unauthenticated access to sensitive classes using Class Level Permissions and ACLs where feasible.

Patch Information

The Parse Server maintainers fixed the vulnerability in GitHub Release 8.6.82 and GitHub Release 9.9.1-alpha.12. The patch is tracked in GitHub Pull Request #10511 and GitHub Pull Request #10512, with the fix commits 0f5d2ad and 1103c7a. Full details are in the GitHub Security Advisory GHSA-cgxm-vr2f-6fj8.

Workarounds

  • Configure a strict queryDepth limit in requestComplexity to constrain nesting even before upgrading.
  • Enforce a maximum HTTP request body size at the reverse proxy or load balancer to reject oversized where clauses.
  • Terminate LiveQuery WebSocket sessions that send abnormally large subscription payloads.
  • Run Parse Server behind an autoscaler with health checks that recycle stalled Node.js processes.
bash
# Configuration example - enforce a strict query depth limit
# parse-server config.json
{
  "appId": "YOUR_APP_ID",
  "masterKey": "YOUR_MASTER_KEY",
  "databaseURI": "mongodb://localhost:27017/parse",
  "requestComplexity": {
    "queryDepth": 4
  }
}

# Upgrade to the patched release
npm install parse-server@8.6.82
# or, on the 9.x branch
npm install parse-server@9.9.1-alpha.12

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.