GHSA-g4cf-xj29-wqqr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g4cf-xj29-wqqr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g4cf-xj29-wqqr
- Aliases
- Published
- 2026-03-24T19:11:40Z
- Modified
- 2026-03-27T22:03:47.941344Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
- Details
-
Impact
An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.
Patches
The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.
Workarounds
There is no known workaround other than upgrading.
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2026-03-24T19:11:40Z", "nvd_published_at": "2026-03-24T19:16:54Z" }- References
-
- https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr
- https://nvd.nist.gov/vuln/detail/CVE-2026-33538
- https://github.com/parse-community/parse-server/pull/10270
- https://github.com/parse-community/parse-server/pull/10271
- https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357
- https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54
- https://github.com/parse-community/parse-server
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server