GHSA-mfj6-6p54-m98c

Source

https://github.com/advisories/GHSA-mfj6-6p54-m98c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mfj6-6p54-m98c/GHSA-mfj6-6p54-m98c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mfj6-6p54-m98c

Aliases

CVE-2026-34573

Published

2026-03-31T23:49:18Z

Modified

2026-04-01T00:04:54.769174Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

parse-server has GraphQL complexity validator exponential fragment traversal DoS

Details

Impact

The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options.

Patches

The fix replaces the per-branch fragment traversal with memoized fragment computation, reducing the traversal from exponential O(2^N) to linear O(N) time. Additionally, early termination aborts the traversal as soon as configured limits are exceeded.

Workarounds

Disable GraphQL complexity limits by setting requestComplexity.graphQLDepth and requestComplexity.graphQLFields to -1 (the default).

Resources

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10344
Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10345

Database specific

{
    "cwe_ids": [
        "CWE-407"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-03-31T16:16:33Z",
    "severity": "HIGH",
    "github_reviewed_at": "2026-03-31T23:49:18Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.7.0-alpha.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mfj6-6p54-m98c/GHSA-mfj6-6p54-m98c.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.68

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mfj6-6p54-m98c/GHSA-mfj6-6p54-m98c.json"