CVE-2026-57480
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-57480 is a denial-of-service vulnerability in Parse Server (npm package parse-server) caused by exponential-time processing of deeply nested query condition operators. A remote, unauthenticated attacker can send a single small (~1 KB) crafted query containing deeply nested $or/$and/$nor operators to block the Node.js event loop for many seconds, rendering the server unresponsive to all clients. The vulnerability affects parse-server versions >= 9.0.0 and < 9.9.1-alpha.12, and all versions < 8.6.82. It was published by maintainer mtrezza on June 17, 2026, and carries a CVSS v4 base score of 8.7 (High) (GitHub Advisory).

Détails techniques

The root cause is CWE-407 (Inefficient Algorithmic Complexity): the internal query-traversal helper in src/RestQuery.js and src/LiveQuery/ParseLiveQueryServer.ts previously re-walked nested arrays during query processing, causing exponential time complexity when processing deeply nested logical operators ($or, $and, $nor) (GitHub Advisory). Additionally, the optional requestComplexity.queryDepth depth-limiting guard could be bypassed by wrapping logical operators inside field-level operators such as $elemMatch, $not, or plain field names, as these were not traversed by the validator (GitHub PR #10511). The vulnerability is reachable via both the REST API and LiveQuery query handling in the default configuration, requiring only the public application identifier — no authentication is needed (GitHub Advisory).

Impact

Successful exploitation causes complete availability loss of the Parse Server instance: a single repeatable request can occupy the Node.js event loop for many seconds, making the server unresponsive to all connected clients for the duration of processing (GitHub Advisory). There is no confidentiality or integrity impact — the attack is purely a denial-of-service. Because the request is small (~1 KB) and repeatable, a persistent attacker can effectively keep the server offline with minimal bandwidth, affecting all users and dependent services.

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing Parse Server instances by scanning for the Parse REST API endpoint (typically /parse/classes/ or /parse/query/) and obtaining the public application identifier (App ID), which is often embedded in client-side code or mobile apps.
  2. Craft malicious query: Construct a small (~1 KB) JSON query payload containing deeply nested logical operators ($or, $and, or $nor), optionally wrapped inside field-level operators such as $elemMatch or $not to bypass any configured requestComplexity.queryDepth limit. Example structure: {"where": {"field": {"$elemMatch": {"$or": [{"$or": [{"$or": [...]}]}]}}}}.
  3. Send the request: Submit the crafted query as an HTTP GET or POST request to the Parse Server REST API endpoint (e.g., GET /parse/classes/MyClass?where=<payload>) with the X-Parse-Application-Id header set to the target App ID. No session token or user credentials are required.
  4. Trigger event loop blockage: Parse Server's internal query-traversal helper processes the nested structure with exponential time complexity, blocking the Node.js event loop for many seconds and making the server unresponsive to all other clients.
  5. Repeat for sustained DoS: Resend the request periodically to maintain the denial-of-service condition, as the attack is repeatable with minimal resources (GitHub Advisory).

Indicateurs de compromis

  • Network: Repeated small HTTP requests (~1 KB) to Parse Server REST API endpoints (e.g., /parse/classes/*) or LiveQuery WebSocket connections containing deeply nested JSON query structures with $or, $and, or $nor operators; requests originating from a single or small set of IP addresses at high frequency.
  • Logs: Parse Server access logs showing requests with unusually complex where parameters containing nested logical operators; requests that take abnormally long to process (many seconds) logged in application performance monitoring.
  • Process: Node.js process CPU usage spiking to near 100% for extended periods following receipt of specific query requests; event loop lag metrics showing multi-second delays; server health checks timing out or failing during attack periods.
  • Application: All clients experiencing timeouts or connection failures to the Parse Server simultaneously, correlating with specific inbound query requests in access logs (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade parse-server to version 9.9.1-alpha.12 (for the v9 branch) or 8.6.82 (for the v8 LTS branch), both released on June 17, 2026 (GitHub PR #10511, GitHub PR #10512). There is no complete configuration-only workaround; setting requestComplexity.queryDepth to a small positive integer reduces exposure but does not fully prevent exploitation, as the depth limit can be bypassed by nesting operators inside field-level operators like $elemMatch or $not (GitHub Advisory). Upgrading is strongly recommended as the only reliable mitigation.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54527CRITICAL9.3
  • JavaScript logoJavaScript
  • jupyterlab-git-core
NonOuiJul 08, 2026
CVE-2026-57480HIGH8.7
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55849HIGH8.5
  • JavaScript logoJavaScript
  • @cyclonedx/cyclonedx-npm
NonOuiJul 08, 2026
CVE-2026-57481LOW2.3
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55778LOW2.1
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités