Exponential Time Processing Vulnerability in Parse Server by Parse Community
CVE-2026-57480

8.7HIGH

Key Information:

Vendor
CVE Published:
8 July 2026

What is CVE-2026-57480?

The vulnerability allows for a Denial-of-Service condition in Parse Server versions before 9.9.1-alpha.12 and 8.6.82. It occurs due to deeply nested logical operators—$or, $and, and $nor—within REST API or LiveQuery queries. This can result in exponential processing times, blocking the Node.js event loop and degrading overall performance. Users are advised to upgrade to the specified versions to mitigate this issue.

Affected Version(s)

parse-server >= 9.0.0-alpha.1, < 9.9.1-alpha.12 < 9.0.0-alpha.1, 9.9.1-alpha.12

parse-server < 8.6.82 < 8.6.82

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.