CVE-2026-30946

Опубликовано: 10 мар. 2026

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.

Ссылки

https://github.com/parse-community/parse-server/releases/tag/8.6.15
Release Notes
Product
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2
Release Notes
Product
https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*

Версия до 8.6.15 (исключая)

cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*

Версия от 9.0.0 (включая) до 9.5.2 (исключая)

cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*

EPSS

Процентиль: 5%

0.0002

Низкий

7.5 High

CVSS3

Дефекты

CWE-770

Связанные уязвимости

GHSA-cmj3-wx7h-ffvg

github

около 1 месяца назад

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API