EUVD-2026-12992
GHSA-9xp9-j92r-p88v
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
4Tags
Description
### Impact An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. ### Patches A depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. ### Workarounds None.
Analysis
Parse Server contains a vulnerability that allows an unauthenticated remote attacker to crash the server process through a single HTTP request containing deeply nested query condition operators. This denial of service vulnerability affects parse-server versions before 8.6.45 and alpha versions 9.0.0 through 9.6.0-alpha.21. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Parse Server instances and confirm versions against the affected range (before 8.6.45 and 9.0.0-9.6.0-alpha.21). Within 7 days: Apply vendor patches to all affected systems, beginning with production environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today