Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.68 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fePatch
- https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57Patch
- https://github.com/parse-community/parse-server/pull/10344Issue TrackingPatch
- https://github.com/parse-community/parse-server/pull/10345Issue TrackingPatch
- https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6pPatchVendor Advisory
FAQ
What is CVE-2026-34573?
CVE-2026-34573 is a vulnerability with a CVSS score of 7.5 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be explo...
How severe is CVE-2026-34573?
CVE-2026-34573 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34573?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.