[Vulnerability] parse-community/parse-server: Denial of Service (Stack Overflow / Server Crash)

[github-actions]

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: f44e306
Author: Manuel
Date: 2026-03-15T02:54:49Z

Commit Message

fix: Server crash via deeply nested query condition operators ([GHSA-9xp9-j92r-p88v](https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v)) (#10202)

Pull Request

PR: #10202 - fix: Server crash via deeply nested query condition operators (GHSA-9xp9-j92r-p88v)
Labels: state:released-alpha

Description:

Issue

Server crash via deeply nested query condition operators ([GHSA-9xp9-j92r-p88v](GHSA-9xp9-j92r-p88v))

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add [security check](https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#security-checks)
• Add new Parse Error codes to Parse JS SDK

<!-- This is an auto-generated comment: release...

Analysis

Vulnerability Type: Denial of Service (Stack Overflow / Server Crash)
Severity: Medium

Description

Before this patch, the Parse Server code allowed deeply nested query condition operators such as $or, $and, and $nor without limit, resulting in unbounded recursion during query validation. An attacker could craft queries with excessive nesting depth to cause a stack overflow or crash the server process, causing Denial of Service to legitimate users. This patch adds a configurable maximum nesting depth limit for these logical operators and rejects queries exceeding this depth unless authorized by master or maintenance keys.

Affected Code

const validateQuery = (
  query: any,
  isMaster: boolean,
  isMaintenance: boolean,
  update: boolean
) => {
  if (isMaintenance) {
    isMaster = true;
  }
  if (query.$or) {
    if (query.$or instanceof Array) {
      query.$or.forEach(value => validateQuery(value, isMaster, isMaintenance, update));
    } else {
      throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $or format - use an array value.');
    }
  }
  if (query.$and) {
    if (query.$and instanceof Array) {
      query.$and.forEach(value => validateQuery(value, isMaster, isMaintenance, update));
    } else {
      throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $and format - use an array value.');
    }
  }
  if (query.$nor) {
    if (query.$nor instanceof Array && query.$nor.length > 0) {
      query.$nor.forEach(value => validateQuery(value, isMaster, isMaintenance, update));
    } else {
      throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $nor format - use a non-empty array.');
    }
  }
}

Proof of Concept

POST /parse/classes/_User with body:
{
  "where": {
    "$or": [
      {"username": "a"},
      {"$or": [
          {"username": "b"},
          {"$or": [
              {"username": "c"},
              { ...nested $or queries repeatedly nested to depth > 1000... }
          ]}
      ]}
    ]
  }
}

Expected behavior before patch: Server crashes or unwinds with stack overflow error due to unbounded recursive validation of query operators.

Expected behavior after patch: Server rejects query with error message 'Query condition nesting depth exceeds maximum allowed depth of X' (where X is configured limit), preventing crash.

---

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-15T06:00:27.688Z