Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.
AnalysisAI
An unauthenticated denial-of-service vulnerability exists in Parse Server versions prior to 8.6.58 and 9.6.0-alpha.52, where attackers can submit authentication requests with arbitrary, unconfigured provider names to trigger expensive unindexed database queries. Each malicious request causes a full collection scan on the user database, and since these requests can be parallelized, an attacker can rapidly exhaust database resources and degrade service availability. The vulnerability requires no authentication or special privileges, making it trivial to exploit at scale, and patches are available in the referenced versions.
Technical ContextAI
Parse Server (cpe:2.3:a:parse-community:parse-server) is an open-source Node.js backend platform that provides authentication services including third-party provider integration. The vulnerability exists in the authentication request handling logic, specifically in how the server processes login attempts that specify provider names. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), stemming from the server executing database queries for any submitted provider name without first validating that the provider is configured. Because no database index exists on the provider field for authentication queries, each lookup against an unconfigured provider forces a full table scan of the user collection. The attackers can exploit this by sending many concurrent requests with different non-existent provider identifiers, each triggering an expensive, non-indexed query that locks database resources.
RemediationAI
Immediately upgrade Parse Server to version 8.6.58 or later (for 8.x deployments) or to version 9.6.0-alpha.52 or later (for 9.x deployments). The patches are available via standard npm package channels and are detailed in pull requests https://github.com/parse-community/parse-server/pull/10270 and https://github.com/parse-community/parse-server/pull/10271. For deployments that cannot be immediately patched, implement authentication provider validation at the reverse proxy or load balancer level, rejecting any login requests that reference provider names not in a whitelist of configured providers. Additionally, implement rate limiting on authentication endpoints to constrain the parallelization capacity of attackers. Consider temporarily restricting network access to Parse Server to trusted IP ranges or VPN clients until patches are applied. Database query monitoring and alerting should be enabled to detect full table scans on the user collection.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14975
GHSA-g4cf-xj29-wqqr