
PEACH
Un cadre d’isolation des locataires
CVE-2026-57480 is a denial-of-service vulnerability in Parse Server (npm package parse-server) caused by exponential-time processing of deeply nested query condition operators. A remote, unauthenticated attacker can send a single small (~1 KB) crafted query containing deeply nested $or/$and/$nor operators to block the Node.js event loop for many seconds, rendering the server unresponsive to all clients. The vulnerability affects parse-server versions >= 9.0.0 and < 9.9.1-alpha.12, and all versions < 8.6.82. It was published by maintainer mtrezza on June 17, 2026, and carries a CVSS v4 base score of 8.7 (High) (GitHub Advisory).
The root cause is CWE-407 (Inefficient Algorithmic Complexity): the internal query-traversal helper in src/RestQuery.js and src/LiveQuery/ParseLiveQueryServer.ts previously re-walked nested arrays during query processing, causing exponential time complexity when processing deeply nested logical operators ($or, $and, $nor) (GitHub Advisory). Additionally, the optional requestComplexity.queryDepth depth-limiting guard could be bypassed by wrapping logical operators inside field-level operators such as $elemMatch, $not, or plain field names, as these were not traversed by the validator (GitHub PR #10511). The vulnerability is reachable via both the REST API and LiveQuery query handling in the default configuration, requiring only the public application identifier — no authentication is needed (GitHub Advisory).
Successful exploitation causes complete availability loss of the Parse Server instance: a single repeatable request can occupy the Node.js event loop for many seconds, making the server unresponsive to all connected clients for the duration of processing (GitHub Advisory). There is no confidentiality or integrity impact — the attack is purely a denial-of-service. Because the request is small (~1 KB) and repeatable, a persistent attacker can effectively keep the server offline with minimal bandwidth, affecting all users and dependent services.
/parse/classes/ or /parse/query/) and obtaining the public application identifier (App ID), which is often embedded in client-side code or mobile apps.$or, $and, or $nor), optionally wrapped inside field-level operators such as $elemMatch or $not to bypass any configured requestComplexity.queryDepth limit. Example structure: {"where": {"field": {"$elemMatch": {"$or": [{"$or": [{"$or": [...]}]}]}}}}.GET /parse/classes/MyClass?where=<payload>) with the X-Parse-Application-Id header set to the target App ID. No session token or user credentials are required./parse/classes/*) or LiveQuery WebSocket connections containing deeply nested JSON query structures with $or, $and, or $nor operators; requests originating from a single or small set of IP addresses at high frequency.where parameters containing nested logical operators; requests that take abnormally long to process (many seconds) logged in application performance monitoring.Upgrade parse-server to version 9.9.1-alpha.12 (for the v9 branch) or 8.6.82 (for the v8 LTS branch), both released on June 17, 2026 (GitHub PR #10511, GitHub PR #10512). There is no complete configuration-only workaround; setting requestComplexity.queryDepth to a small positive integer reduces exposure but does not fully prevent exploitation, as the depth limit can be bypassed by nesting operators inside field-level operators like $elemMatch or $not (GitHub Advisory). Upgrading is strongly recommended as the only reliable mitigation.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."