BIT-parse-2026-57480

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-57480.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-parse-2026-57480
Aliases
Published
2026-07-14T15:50:20.292Z
Modified
2026-07-14T16:40:34.508744504Z
Summary
Parse Server: Denial of service via exponential-time processing of deeply nested query operators
Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1 and 8.6.82.

Database specific
{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"
    ]
}
References

Affected packages

Bitnami / parse

Package

Name
parse
Purl
pkg:bitnami/parse

Severity

  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.6.82
Introduced
9.0.0
Fixed
9.9.1

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-57480.json"