Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 85994ef
Author: Manuel
Date: 2026-03-20T17:43:50Z
Commit Message
fix: Query condition depth bypass via pre-validation transform pipeline ([GHSA-9fjp-q3c4-6w3j](https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j)) (#10257)
Pull Request
PR: #10257 - fix: Query condition depth bypass via pre-validation transform pipeline (GHSA-9fjp-q3c4-6w3j)
Labels: state:released-alpha
Description:
Issue
Query condition depth bypass via pre-validation transform pipeline ([GHSA-9fjp-q3c4-6w3j](GHSA-9fjp-q3c4-6w3j))
Analysis
Vulnerability Type: Denial of Service via Resource Exhaustion
Severity: High
Description
Before the patch, the server allowed deeply nested query conditions that bypassed pre-validation because the transform pipeline processed the query before validation. This allowed an attacker to craft queries with extremely deep nesting (e.g., 50 levels) causing excessive resource consumption, potentially crashing or severely degrading the server. The patch adds validation for maximum query nesting depth before processing, effectively rejecting overly complex queries and preventing such denial of service attacks.
Affected Code
_UnsafeRestQuery.prototype.execute = function (executeOptions) {
return Promise.resolve()
// no depth validation before transform pipeline processing
.then(() => {
return this.buildRestWhere();
})
Proof of Concept
Construct a deeply nested query with 50 levels of $and or $or, such as:
{
"$and": [
{ "$and": [
... (repeatedly nested 50 times) ...
{ "username": "test" }
]}
]
}
Send this query to the REST API endpoint for _User class. The server processes it without rejecting, leading to high CPU and memory consumption and possible crash or service slowdown.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-20T18:02:02.458Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 85994ef
Author: Manuel
Date: 2026-03-20T17:43:50Z
Commit Message
Pull Request
PR: #10257 - fix: Query condition depth bypass via pre-validation transform pipeline (GHSA-9fjp-q3c4-6w3j)
Labels: state:released-alpha
Description:
Issue
Query condition depth bypass via pre-validation transform pipeline ([GHSA-9fjp-q3c4-6w3j](GHSA-9fjp-q3c4-6w3j))
Analysis
Vulnerability Type: Denial of Service via Resource Exhaustion
Severity: High
Description
Before the patch, the server allowed deeply nested query conditions that bypassed pre-validation because the transform pipeline processed the query before validation. This allowed an attacker to craft queries with extremely deep nesting (e.g., 50 levels) causing excessive resource consumption, potentially crashing or severely degrading the server. The patch adds validation for maximum query nesting depth before processing, effectively rejecting overly complex queries and preventing such denial of service attacks.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-20T18:02:02.458Z