GHSA-g4cf-xj29-wqqr

Source

https://github.com/advisories/GHSA-g4cf-xj29-wqqr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g4cf-xj29-wqqr

Aliases

CVE-2026-33538

Published

2026-03-24T19:11:40Z

Modified

2026-03-24T19:16:43.364620Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Details

Impact

An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.

Patches

The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.

Workarounds

There is no known workaround other than upgrading.

Resources

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10270
Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10271

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:11:40Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.6.0-alpha.52

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.58

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json"