Exponential Time Processing Vulnerability in Parse Server by Parse Community
CVE-2026-57480
8.7HIGH
What is CVE-2026-57480?
The vulnerability allows for a Denial-of-Service condition in Parse Server versions before 9.9.1-alpha.12 and 8.6.82. It occurs due to deeply nested logical operators—$or, $and, and $nor—within REST API or LiveQuery queries. This can result in exponential processing times, blocking the Node.js event loop and degrading overall performance. Users are advised to upgrade to the specified versions to mitigate this issue.
Affected Version(s)
parse-server >= 9.0.0-alpha.1, < 9.9.1-alpha.12 < 9.0.0-alpha.1, 9.9.1-alpha.12
parse-server < 8.6.82 < 8.6.82
