CVE-2026-34573

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.68 Parse Server versions prior to 9.7.0-alpha.12

Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to a denial-of-service condition. A crafted GraphQL query utilizing binary fan-out fragment spreads can exploit the GraphQL query complexity validator, potentially blocking the Node.js event loop for several seconds and disrupting service for all concurrent users. This issue only impacts deployments where the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options are enabled. The fix involves replacing the per-branch fragment traversal with memoized fragment computation, reducing the traversal time from exponential to linear.

Recommendations Update Parse Server to version 8.6.68 or later. Update Parse Server to version 9.7.0-alpha.12 or later. As a workaround, disable GraphQL complexity limits by setting requestComplexity.graphQLDepth and requestComplexity.graphQLFields to -1.