PT-2026-42860 · Unknown · Parse Server
Published
2026-05-23
·
Updated
2026-06-16
·
CVE-2026-47138
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server (affected versions not specified)
Description
An unauthenticated attacker with knowledge of a public Parse Application ID can cause a denial of service by submitting a single HTTP request to any '/parse/*' endpoint. The attack involves providing adversarial input in the client SDK version field, which triggers polynomial backtracking—a condition where a regular expression engine takes an exponential amount of time to process a string—within a request-header parser. Because this parsing occurs before session authentication and rate limiting, it consumes significant synchronous CPU resources on a Node.js worker. A few concurrent requests or a single large request via the body field can saturate or pin a worker for several minutes.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Deploy a reverse proxy or WAF to strip or strictly size-limit the
X-Parse-Client-Version header and the ClientVersion field in JSON request bodies on every '/parse/*' route.
Avoid using the X-Parse-Client-Version header and the ClientVersion field in JSON request bodies.Exploit
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server