Inefficient Algorithmic Complexity Affecting parse-server package, versions <8.6.82>=9.0.0-alpha.1 <9.9.1-alpha.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-PARSESERVER-17420049
- published23 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
New CVE NOT AVAILABLE CWE-407 (opens in a new tab)How to fix?
Upgrade parse-server to version 8.6.82, 9.9.1-alpha.12 or higher.
Overview
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the query-depth processing in validateQueryDepth and ParseLiveQueryServer._handleSubscribe. An attacker can exhaust the server CPU and hang the event loop by sending a query with deeply nested logical operators such as $or, $and, or $nor wrapped inside field-level operators like $elemMatch. The vulnerable recursion did not consistently count logical operators nested under fields, and the object-walking logic could re-traverse nested arrays exponentially. This allows a single small REST or Live Query request to trigger extensive processing, causing latency spikes and service unavailability for other users.