PT-2026-42860 · Unknown · Parse Server

Published

2026-05-23

·

Updated

2026-06-16

·

CVE-2026-47138

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Parse Server (affected versions not specified)
Description An unauthenticated attacker with knowledge of a public Parse Application ID can cause a denial of service by submitting a single HTTP request to any '/parse/*' endpoint. The attack involves providing adversarial input in the client SDK version field, which triggers polynomial backtracking—a condition where a regular expression engine takes an exponential amount of time to process a string—within a request-header parser. Because this parsing occurs before session authentication and rate limiting, it consumes significant synchronous CPU resources on a Node.js worker. A few concurrent requests or a single large request via the body field can saturate or pin a worker for several minutes.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Deploy a reverse proxy or WAF to strip or strictly size-limit the X-Parse-Client-Version header and the ClientVersion field in JSON request bodies on every '/parse/*' route. Avoid using the X-Parse-Client-Version header and the ClientVersion field in JSON request bodies.

Exploit

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BIT-PARSE-2026-47138
CVE-2026-47138
GHSA-38M6-82C8-4XFM

Affected Products

Parse Server