CVE-2026-34573
Published: 31 March 2026
Summary
CVE-2026-34573 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to Parse Server versions 8.6.68 or 9.7.0-alpha.12 directly fixes the vulnerable GraphQL query complexity validator.
Denial-of-service protections such as rate limiting, request throttling, or resource quotas at network boundaries prevent a single crafted GraphQL query from blocking the Node.js event loop.
Information input validation for GraphQL queries ensures crafted fragment spreads are rejected before reaching the flawed complexity validator.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote DoS vulnerability in Parse Server's GraphQL complexity validator exploitable via a single crafted query causing event loop blockage and resource exhaustion, directly mapping to application/system exploitation for endpoint DoS.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted…
more
query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
Deeper analysisAI
CVE-2026-34573 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js infrastructure. The issue affects versions prior to 8.6.68 and 9.7.0-alpha.12, specifically in the GraphQL query complexity validator. Attackers can exploit it by sending a crafted GraphQL query using binary fan-out fragment spreads, which overwhelms the validator and blocks the Node.js event loop for seconds. This vulnerability, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-407 (likely resource exhaustion), only impacts deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options.
An unauthenticated remote attacker can exploit this vulnerability with a single request, causing widespread denial of service. The crafted query ties up the event loop, preventing the server from processing requests for other users during the blockage, effectively halting service for all concurrent clients.
Parse Server has addressed this issue in versions 8.6.68 and 9.7.0-alpha.12, as detailed in the project's security advisory (GHSA-mfj6-6p54-m98c) and related GitHub pull requests (#10344, #10345) and commits (ea15412795f34594cc8a674fe858d445675e0295, f759bda075298ec44e2b4fb57659a0c56620483b). Security practitioners should upgrade to these patched versions and review configurations to ensure the affected GraphQL complexity options are appropriately managed.
Details
- CWE(s)