Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 0ae9c25
Author: Manuel
Date: 2026-03-07T23:40:45Z
Commit Message
fix: Denial-of-service via unbounded query complexity in REST and GraphQL API ([GHSA-cmj3-wx7h-ffvg](https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg)) (#10130)
Pull Request
PR: #10130 - fix: Denial-of-service via unbounded query complexity in REST and GraphQL API (GHSA-cmj3-wx7h-ffvg)
Labels: state:released-alpha
Description:
Pull Request
Issue
Denial-of-service via unbounded query complexity in REST and GraphQL API ([GHSA-cmj3-wx7h-ffvg](GHSA-cmj3-wx7h-ffvg))
Tasks
<!-- Check completed tasks and delete tasks th...
Analysis
Vulnerability Type: Denial of Service
Severity: High
Description
This patch fixes a Denial-of-Service (DoS) vulnerability caused by unbounded query complexity in the REST and GraphQL APIs of the Parse Server. Before this fix, attackers could craft deeply nested or excessively large GraphQL queries or complex subqueries in REST requests that would cause the server to perform expensive operations, exhausting resources and making the service unavailable. The patch introduces configurable limits on query depth, field counts, and subquery nesting, preventing resource exhaustion attacks.
Affected Code
/* Before patch: no limits on subquery or GraphQL query complexity, allowing unbounded nesting */
// Hypothetical vulnerable snippet from REST & GraphQL query handling (pseudo-code):
function executeQuery(query) {
// No complexity or depth checks
return database.query(query);
}
// No upper bound on GraphQL query depth or field counts, or subquery nesting in REST requests.
Proof of Concept
1. Exploit GraphQL API by sending a deeply nested query exceeding default depth limit:
POST /graphql
Content-Type: application/json
{
"query": "{ users { edges { node { edges { node { edges { node { objectId } } } } } } } }"
}
Expected result before patch: Server processes query leading to high CPU/memory usage, causing service slowdown or crash.
2. Exploit REST API with nested $inQuery constraints exceeding depth limit:
GET /classes/_User?where={"username": {"$inQuery": {"className": "_User", "where": {"username": {"$inQuery": {"className": "_User", "where": { ... }} }}}}}
(Repeated nesting > configured limit)
Expected result before patch: The server performs nested subqueries without bound, exhausting resources and resulting in denial of service.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T00:00:39.699Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 0ae9c25
Author: Manuel
Date: 2026-03-07T23:40:45Z
Commit Message
Pull Request
PR: #10130 - fix: Denial-of-service via unbounded query complexity in REST and GraphQL API (GHSA-cmj3-wx7h-ffvg)
Labels: state:released-alpha
Description:
Pull Request
Issue
Denial-of-service via unbounded query complexity in REST and GraphQL API ([GHSA-cmj3-wx7h-ffvg](GHSA-cmj3-wx7h-ffvg))
Tasks
<!-- Check completed tasks and delete tasks th...
Analysis
Vulnerability Type: Denial of Service
Severity: High
Description
This patch fixes a Denial-of-Service (DoS) vulnerability caused by unbounded query complexity in the REST and GraphQL APIs of the Parse Server. Before this fix, attackers could craft deeply nested or excessively large GraphQL queries or complex subqueries in REST requests that would cause the server to perform expensive operations, exhausting resources and making the service unavailable. The patch introduces configurable limits on query depth, field counts, and subquery nesting, preventing resource exhaustion attacks.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T00:00:39.699Z