CVE-2026-47138
Received Received - Intake
Denial of Service in Parse Server

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47138
EUVD
EUVD-2026-36535
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
parse_server parse_server to 9.9.1-alpha.1 (exc)
parse_community parse_server From 8.0.0 (inc) to 8.6.77 (exc)
parse_community parse_server From 9.0.0 (inc) to 9.9.1-alpha.1 (exc)
parse_community parse_server 8.6.77
parse_community parse_server 9.9.1-alpha.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-47138 is a denial of service vulnerability that allows unauthenticated attackers to exhaust CPU resources on Parse Server instances before any authentication or rate limiting occurs.

While the vulnerability impacts availability by potentially causing service unresponsiveness, there is no indication from the provided information that it leads to unauthorized data access, data leakage, or compromise of confidentiality or integrity.

Therefore, the vulnerability primarily affects the availability aspect of systems using Parse Server, which could have indirect implications for compliance with standards like GDPR or HIPAA that require availability of systems and data.

However, since no direct data breach or unauthorized access is described, the impact on compliance with these regulations is limited to potential availability disruptions rather than privacy or data protection violations.

Executive Summary

CVE-2026-47138 is a high-severity vulnerability in Parse Server versions prior to 8.6.77 and 9.9.1-alpha.1. It allows an unauthenticated attacker who knows a publicly-known Parse Application ID to send a specially crafted HTTP request containing adversarial input in the client SDK version field. This input triggers polynomial backtracking in a regex parser used for request-header parsing.

The parsing happens before session authentication and rate limiting on every /parse/* request, causing the server to consume seconds to minutes of synchronous CPU time on a Node.js worker before any access control is applied. This can saturate a worker with just a few concurrent requests, and a single large request can pin a worker for minutes, leading to denial of service.

The vulnerability stems from inefficient regex complexity (CWE-1333) in parsing the client SDK version header or the equivalent JSON body field. The issue was fixed by removing the vulnerable parser and related code, effectively ignoring the client version fields.

Impact Analysis

This vulnerability can cause severe denial of service on Parse Server deployments by exhausting CPU resources on Node.js workers. An attacker can send crafted requests that consume significant CPU time before authentication or rate limiting occurs, potentially saturating server workers.

As a result, legitimate requests may be delayed or dropped, causing service unavailability or degraded performance. Production deployments running default configurations are affected, making the service unresponsive or slow under attack.

Mitigations include upgrading to patched versions (8.6.77 or 9.9.1-alpha.1) or deploying reverse proxies or web application firewalls to strip or limit the problematic client version fields.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage on Node.js workers handling Parse Server requests, especially on endpoints matching /parse/*. The attack involves sending HTTP requests with maliciously crafted client SDK version fields, either in the X-Parse-Client-Version header or the _ClientVersion JSON body field.

To detect potential exploitation attempts, you can inspect incoming HTTP requests for suspicious or unusually long strings in the X-Parse-Client-Version header or the _ClientVersion field in request bodies.

Example commands to detect such requests might include:

  • Using tcpdump or tshark to capture HTTP traffic and filter for the X-Parse-Client-Version header:
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'X-Parse-Client-Version'
  • Using grep or jq on server logs to find requests containing the _ClientVersion field with suspicious content:
  • grep '_ClientVersion' /path/to/parse-server/logs/*
  • jq '.body._ClientVersion' /path/to/parse-server/logs/*

Additionally, monitoring CPU usage on Node.js workers for spikes during /parse/* requests can help identify ongoing exploitation.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Parse Server to a patched version, specifically version 8.6.77 or 9.9.1-alpha.1, where the vulnerable regex parsing code has been removed.

If upgrading immediately is not possible, deploying a reverse proxy or a web application firewall (WAF) to strip or limit the X-Parse-Client-Version header and the _ClientVersion JSON body field can help mitigate the attack surface.

These mitigations prevent the adversarial input from reaching the vulnerable parser, thereby avoiding CPU exhaustion.

Monitoring and rate limiting requests to /parse/* endpoints can also reduce the impact of potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart