Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ze79-p1vg-47fx
Vulnerability ID VCID-ze79-p1vg-47fx
Aliases CVE-2026-34573
GHSA-mfj6-6p54-m98c
Summary parse-server has GraphQL complexity validator exponential fragment traversal DoS ### Impact The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the `requestComplexity.graphQLDepth` or `requestComplexity.graphQLFields` configuration options. ### Patches The fix replaces the per-branch fragment traversal with memoized fragment computation, reducing the traversal from exponential O(2^N) to linear O(N) time. Additionally, early termination aborts the traversal as soon as configured limits are exceeded. ### Workarounds Disable GraphQL complexity limits by setting `requestComplexity.graphQLDepth` and `requestComplexity.graphQLFields` to `-1` (the default). ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10344 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10345
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-407 Inefficient Algorithmic Complexity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-34573
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-34573
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-34573
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-mfj6-6p54-m98c
cvssv4 8.2 https://github.com/parse-community/parse-server
generic_textual HIGH https://github.com/parse-community/parse-server
cvssv4 8.2 https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
generic_textual HIGH https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
ssvc Track https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
cvssv4 8.2 https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
generic_textual HIGH https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
ssvc Track https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
cvssv4 8.2 https://github.com/parse-community/parse-server/pull/10344
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10344
ssvc Track https://github.com/parse-community/parse-server/pull/10344
cvssv4 8.2 https://github.com/parse-community/parse-server/pull/10345
generic_textual HIGH https://github.com/parse-community/parse-server/pull/10345
ssvc Track https://github.com/parse-community/parse-server/pull/10345
cvssv3.1_qr HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
cvssv4 8.2 https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
generic_textual HIGH https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
cvssv4 8.2 https://nvd.nist.gov/vuln/detail/CVE-2026-34573
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-34573
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34573
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
https://github.com/parse-community/parse-server/pull/10344
https://github.com/parse-community/parse-server/pull/10345
https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
https://nvd.nist.gov/vuln/detail/CVE-2026-34573
GHSA-mfj6-6p54-m98c https://github.com/advisories/GHSA-mfj6-6p54-m98c
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/ Found at https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/ Found at https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10344
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/ Found at https://github.com/parse-community/parse-server/pull/10344
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/pull/10345
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/ Found at https://github.com/parse-community/parse-server/pull/10345
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34573
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.04954
EPSS Score 0.00018
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:57:42.844644+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mfj6-6p54-m98c/GHSA-mfj6-6p54-m98c.json 38.6.0