Parse Server: Pre-authentication denial of service via client version header regex backtracking
CVE-2026-47138

8.7HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47138?

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.

Affected Version(s)

parse-server < 8.6.77 < 8.6.77

parse-server >= 9.0.0, < 9.9.1-alpha.1 < 9.0.0, 9.9.1-alpha.1

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10463
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10464
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.