QwikSec

Security Database

CVE

CWE

Training

CVE-2026-34573

Published: Mar 31, 2026

Modified: Mar 31, 2026

PUBLISHED

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.

Vendor	Product	Versions
parse-community	parse-server	affected `< 8.6.68` affected `>= 9.0.0, < 9.7.0-alpha.12`

Weaknesses (CWE)

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c

x_refsource_CONFIRM

https://github.com/parse-community/parse-server/pull/10344

x_refsource_MISC

https://github.com/parse-community/parse-server/pull/10345

x_refsource_MISC

https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295

x_refsource_MISC

https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.