js · parse-serverCritical
parse-server Denial of Service via Deeply Nested Query Conditions
Parse Server is vulnerable to denial of service via deeply nested query condition operators, causing exponential time complexity.
What changed
Parse Server is vulnerable to denial of service via deeply nested query condition operators, causing exponential time complexity. The fix corrects query traversal to linear time and generalizes the queryDepth limit to prevent bypass.
Who it affects
All Parse Server installations using default configuration; no authentication required, only public app ID.
What to do today
Upgrade Parse Server to a patched version immediately.
The trail
Collected→
Audited→
Written→
Published