Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-1333"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47138.json"
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "8.6.77"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.9.1-alpha.1"
}
]
}