CVE-2026-47138
published 2026-06-12CVE-2026-47138: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an…
PriorityP259high8.7CVSS 4.0
AVNACLATNPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.58%
43.5th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.77 | 8.6.77 |
| parse-community | parse-server | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
parse-community parse-server up to 8.6.76/9.9.1-alpha.0 request-header Parser redos (GHSA-38m6-82c8-4xfm)
vuldb·2026-06-12·CVSS 8.7
CVE-2026-47138 [HIGH] parse-community parse-server up to 8.6.76/9.9.1-alpha.0 request-header Parser redos (GHSA-38m6-82c8-4xfm)
A vulnerability classified as problematic was found in parse-community parse-server up to 8.6.76/9.9.1-alpha.0. Affected by this vulnerability is an unknown functionality of the component request-header Parser. Executing a manipulation can lead to inefficient regular expression complexity.
This vulnerability appears as CVE-2026-47138. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is advised.
GHSA
Parse Server: Pre-authentication denial of service via client version header regex backtracking
ghsa·2026-05-23
CVE-2026-47138 [HIGH] CWE-1333 Parse Server: Pre-authentication denial of service via client version header regex backtracking
Parse Server: Pre-authentication denial of service via client version header regex backtracking
### Impact
An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every `/parse/*` request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected.
### Patches
The clien
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published