CVE-2026-47138: CWE-1333: Inefficient Regular Expression Complexity in parse-community parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
AI Analysis
Technical Summary
CVE-2026-47138 is a vulnerability in parse-community's parse-server involving inefficient regular expression complexity (CWE-1333) in the parsing of the client SDK version field within HTTP request headers. This parsing happens before session authentication and rate limiting on all /parse/* endpoints. An attacker who knows a public Parse Application ID can submit a single crafted HTTP request that triggers polynomial backtracking in the regex parser, causing the Node.js worker to spend seconds to minutes processing the request synchronously. This resource exhaustion can saturate workers with only a few concurrent requests, impacting service availability. The vulnerability affects production deployments running default configurations. The issue is fixed in versions 8.6.77 and 9.9.1-alpha.1.
Potential Impact
The vulnerability allows unauthenticated attackers to cause denial of service by exhausting CPU resources on Node.js workers handling parse-server requests. Because the expensive regex parsing occurs before authentication and rate limiting, attackers can exploit this to degrade or disrupt service availability with minimal effort. This can lead to worker saturation and potential downtime for affected parse-server deployments.
Mitigation Recommendations
A fix is available in parse-server versions 8.6.77 and 9.9.1-alpha.1. Users should upgrade to these or later versions to remediate this vulnerability. Since the vendor advisory does not specify alternative mitigations, upgrading is the recommended action. Patch status is confirmed by the vendor advisory stating the issue is fixed in these versions.
CVE-2026-47138: CWE-1333: Inefficient Regular Expression Complexity in parse-community parse-server
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.
CVSS v4.0
Score 8.7high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47138 is a vulnerability in parse-community's parse-server involving inefficient regular expression complexity (CWE-1333) in the parsing of the client SDK version field within HTTP request headers. This parsing happens before session authentication and rate limiting on all /parse/* endpoints. An attacker who knows a public Parse Application ID can submit a single crafted HTTP request that triggers polynomial backtracking in the regex parser, causing the Node.js worker to spend seconds to minutes processing the request synchronously. This resource exhaustion can saturate workers with only a few concurrent requests, impacting service availability. The vulnerability affects production deployments running default configurations. The issue is fixed in versions 8.6.77 and 9.9.1-alpha.1.
Potential Impact
The vulnerability allows unauthenticated attackers to cause denial of service by exhausting CPU resources on Node.js workers handling parse-server requests. Because the expensive regex parsing occurs before authentication and rate limiting, attackers can exploit this to degrade or disrupt service availability with minimal effort. This can lead to worker saturation and potential downtime for affected parse-server deployments.
Mitigation Recommendations
A fix is available in parse-server versions 8.6.77 and 9.9.1-alpha.1. Users should upgrade to these or later versions to remediate this vulnerability. Since the vendor advisory does not specify alternative mitigations, upgrading is the recommended action. Patch status is confirmed by the vendor advisory stating the issue is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T19:50:18.696Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c5612e617e2d834b0f363
Added to database: 6/12/2026, 6:55:14 PM
Last enriched: 6/12/2026, 7:09:34 PM
Last updated: 6/12/2026, 9:30:13 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.