CVE-2026-34573
EPSS 0.02%parse-server has GraphQL complexity validator exponential fragment traversal DoS
描述
### Impact The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the `requestComplexity.graphQLDepth` or `requestComplexity.graphQLFields` configuration options. ### Patches The fix replaces the per-branch fragment traversal with memoized fragment computation, reducing the traversal from exponential O(2^N) to linear O(N) time. Additionally, early termination aborts the traversal as soon as configured limits are exceeded. ### Workarounds Disable GraphQL complexity limits by setting `requestComplexity.graphQLDepth` and `requestComplexity.graphQLFields` to `-1` (the default). ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10344 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10345
受影響套件(2)
- Bitnami/parsefrom 0, < 8.6.68, >= 9.0.0, < 9.7.0
- npm/parse-server>= 9.0.0, < 9.7.0-alpha.12
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34573
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
- WEBhttps://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
- WEBhttps://github.com/parse-community/parse-server/pull/10344
- WEBhttps://github.com/parse-community/parse-server/pull/10345
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c