HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47138Published Modified CNA GitHub_M

CVE-2026-47138: Parse Server: Pre-authentication denial of service via client version header regex backtracking

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a regular-expression denial-of-service (ReDoS) vulnerability in Parse Server, an open-source Node.js backend framework. An unauthenticated attacker who knows a Parse Application ID (which is typically public) can send a single crafted HTTP request whose client SDK version header triggers polynomial backtracking in the request-header parser, consuming seconds to minutes of synchronous CPU on a Node.js worker before any authentication or rate limiting runs. Successful exploitation saturates worker threads, making the Parse Server API unavailable to legitimate clients. A patched-image rebuild at versions 8.6.77 or 9.9.1-alpha.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including GitHub Advisory Database) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle parse-server as a dependency.

Available
Triage

HarborGuard scores this finding at CVSS v4.0 8.7 (HIGH) and surfaces it accordingly, with per-environment compliance policy weighting applied to prioritize or escalate it based on each customer org's defined thresholds. Triage routing directs the alert to the appropriate team inbox within each customer environment based on image ownership and policy configuration.

Available
Patch

Because no fix versions have been published upstream at the time of this record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment versions 8.6.77 or 9.9.1-alpha.1 are confirmed in the upstream package registry. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once the upstream fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Parse Server API over the network; any publicly exposed /parse/* endpoint is a viable target.

  • AuthenticationNot required

    No credentials are needed; only a publicly known Parse Application ID is required, which is typically embedded in client applications.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; a single crafted HTTP request is sufficient to pin a Node.js worker, and no race conditions or special environmental factors are required.

Blast Radius

  • The targeted Node.js worker thread is pinned for seconds to minutes per request, blocking all legitimate requests queued behind it.
  • A small number of concurrent malicious requests saturates the available worker pool, making the Parse Server API unresponsive to all clients.
  • Confidentiality and data integrity are not directly affected; the impact is confined to availability of the service.
  • Dependent services or mobile and web clients that rely on Parse Server as their backend lose connectivity for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47138 is active across all connected environments, matching any image that includes an affected parse-server version (< 8.6.77 on the v8 line, or >= 9.0.0 and < 9.9.1-alpha.1 on the v9 line). Because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once versions 8.6.77 or 9.9.1-alpha.1 appear in the upstream registry. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual steps. In the interim, compensating controls worth considering include placing a reverse proxy or WAF in front of Parse Server endpoints to enforce request-size limits and per-IP rate limiting before requests reach the Node.js process, restricting inbound access to /parse/* endpoints to known client IP ranges via network policy where feasible, and monitoring worker CPU utilization with an alert threshold that can flag an active ReDoS attempt in progress.

See how HarborGuard automates this
Affected packages
  • parse-community / parse-server
    < 8.6.77 · >= 9.0.0, < 9.9.1-alpha.1
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References