Parse Server is an open-source backend framework that runs on Node.js and supports GraphQL queries. The vulnerability CVE-2026-34573 arises from inefficient algorithmic complexity in the GraphQL query complexity validator component. Specifically, when the configuration options requestComplexity.graphQLDepth or requestComplexity.graphQLFields are enabled, the validator processes incoming GraphQL queries to assess their complexity and prevent resource exhaustion. However, crafted queries containing binary fan-out fragment spreads can cause the validator to perform excessive computation, blocking the Node.js event loop. Since Node.js operates on a single-threaded event loop, blocking it for seconds effectively denies service to all users relying on that server instance. The vulnerability requires no authentication or user interaction, making it remotely exploitable by any attacker who can send queries to the parse-server endpoint. This flaw is classified under CWE-407 (Inefficient Algorithmic Complexity), indicating that the algorithm's performance degrades significantly under certain inputs. The vulnerability affects parse-server versions prior to 8.6.68 and from 9.0.0 up to but not including 9.7.0-alpha.12, where patches have been applied to optimize the complexity validation logic and mitigate the DoS risk. Although no known exploits have been reported in the wild, the high CVSS score of 8.2 reflects the ease of exploitation and potential impact on availability.

The primary impact of this vulnerability is denial-of-service, which can severely disrupt the availability of applications relying on parse-server backends. Since the Node.js event loop is blocked for seconds by a single crafted query, all concurrent users experience service outages or degraded performance during the attack. This can lead to significant operational downtime, loss of user trust, and potential financial losses for organizations. The vulnerability affects any deployment exposing GraphQL endpoints with the specified complexity validation enabled, which is common in environments aiming to prevent abusive queries. Because no authentication is required, attackers can exploit this remotely without credentials, increasing the risk of widespread attacks. Organizations using parse-server in critical applications, especially those with high user concurrency or real-time requirements, are at elevated risk. The vulnerability does not impact confidentiality or integrity directly but poses a substantial availability threat. The lack of known exploits in the wild suggests limited active exploitation currently, but the ease of triggering the DoS condition warrants urgent remediation.

Organizations should immediately upgrade parse-server to version 8.6.68 or later, or 9.7.0-alpha.12 or later, where the vulnerability has been patched. If upgrading is not immediately feasible, consider disabling the requestComplexity.graphQLDepth and requestComplexity.graphQLFields options to prevent the vulnerable complexity validation logic from executing. Implement rate limiting and request throttling on GraphQL endpoints to reduce the impact of potential abuse. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious GraphQL queries containing excessive fragment spreads or abnormal complexity patterns. Monitor server performance metrics and logs for signs of event loop blocking or unusual query patterns. Additionally, consider isolating parse-server instances behind load balancers that can detect and mitigate DoS conditions. Regularly review and test GraphQL query complexity configurations to balance security and performance without exposing to inefficient algorithmic complexity. Finally, maintain an incident response plan to quickly address any detected DoS attempts.