Skip to main content

Parse Server CVE-2026-47138

| EUVDEUVD-2026-36535 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-23 https://github.com/parse-community/parse-server GHSA-38m6-82c8-4xfm
8.7
CVSS 4.0 · Vendor: https://github.com/parse-community/parse-server
Share

Severity by source

Vendor (https://github.com/parse-community/parse-server) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Reachable over the network on /parse/* with no auth (Application ID is public per Parse's design) and no user interaction; impact is solely availability via worker CPU exhaustion, hence C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/parse-community/parse-server).

CVSS VectorVendor: https://github.com/parse-community/parse-server

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 12, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 12, 2026 - 19:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 23, 2026 - 00:45 vuln.today
Analysis Generated
May 23, 2026 - 00:45 vuln.today

DescriptionCVE.org

Impact

An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected.

Patches

The client SDK version capture and parsing have been removed entirely. The Parse JS SDK compatibility table defines a strict version-pinned contract between Parse Server and the Parse JS SDK; server-side adaptation to client SDK version is an obsolete pattern that contradicts that contract. The vulnerable parser, the clientSDK parameter that threaded its output through routers, and the legacy code path it gated are all removed. The X-Parse-Client-Version header and _ClientVersion JSON body field are now silently ignored on every request; supported Parse SDKs are unaffected.

Workarounds

Deploy a reverse proxy or WAF in front of Parse Server that strips or strictly size-limits the X-Parse-Client-Version header AND the _ClientVersion field in JSON request bodies on every /parse/* route before forwarding to the server. A header-size cap alone is insufficient: the body-field variant requires inspection of JSON content. Upgrading to the patched version is the recommended remediation.

AnalysisAI

Pre-authentication denial of service in Parse Server (versions <8.6.77 and 9.0.0 through 9.9.0) allows remote unauthenticated attackers who know a publicly-discoverable Parse Application ID to pin Node.js workers for seconds to minutes by sending a crafted X-Parse-Client-Version header or _ClientVersion JSON body field that triggers polynomial regex backtracking in the client SDK version parser. The parser runs before session authentication and rate limiting on every /parse/* request, so a handful of concurrent requests can saturate a worker fleet. No public exploit identified at time of analysis, EPSS sits at 0.16% (37th percentile), and the issue is not in CISA KEV.

Technical ContextAI

The flaw is a CWE-1333 inefficient-regex condition inside Parse Server's handleParseHeaders middleware (lib/ClientSDK.js, exposed through lib/middlewares.js). Parse Server historically parsed an SDK identifier and semver from the X-Parse-Client-Version header and the _ClientVersion body field to drive a legacy compatibility code path; the regex used to split SDK name from version exhibits polynomial backtracking on adversarial inputs such as long runs of dashes. Because the affected component is the npm package pkg:npm/parse-server running inside a single-threaded Node.js event loop, regex evaluation blocks the worker synchronously. The fix (PRs #10463 and #10464) removes the clientSDK capture, the parser, and the legacy router branch entirely, treating both inputs as silently ignored - consistent with the Parse JS SDK's version-pinned compatibility contract.

RemediationAI

Vendor-released patch: upgrade parse-server to 9.9.1-alpha.1 on the 9.x line or 8.6.77 on the 8.x line per GHSA-38m6-82c8-4xfm (https://github.com/parse-community/parse-server/security/advisories/GHSA-38m6-82c8-4xfm), tracked by PRs https://github.com/parse-community/parse-server/pull/10463 and https://github.com/parse-community/parse-server/pull/10464 which delete the vulnerable parser and ignore both inputs going forward. If immediate upgrade is impossible, deploy a reverse proxy or WAF in front of /parse/* that strips or strictly size-limits both the X-Parse-Client-Version header AND the _ClientVersion field in JSON request bodies before forwarding; note that a header-size cap alone is insufficient because the body-field variant requires JSON-aware inspection, and stripping these fields is safe because supported Parse SDKs no longer rely on server-side adaptation to client version. Side effects are minimal - any legacy client that depended on the removed compatibility branch was already off-contract per Parse's version-pinned SDK table.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-47138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy