Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 1103c7a
Author: Manuel
Date: 2026-06-17T14:21:23Z
Commit Message
fix: Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8)) (#10511)
Pull Request
PR: #10511 - fix: Denial of service via exponential-time processing of deeply nested query operators (GHSA-cgxm-vr2f-6fj8)
Labels: state:released-alpha
Description:
Issue
Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](GHSA-cgxm-vr2f-6fj8))
Tasks
Analysis
Vulnerability Type: Denial of Service (ReDoS/Algorithmic Complexity)
Severity: High
Description
The vulnerability allowed malicious users to submit deeply nested query operators (such as nested $or conditions wrapped inside field-level operators like $elemMatch) that caused exponential-time processing. This leads to excessive CPU consumption and denial of service, effectively hanging or severely slowing the server. The patch introduces thorough query depth validation that correctly tracks nesting even under field wrapping, preventing exponential blowup and enforcing limits on query complexity.
Affected Code
const checkDepth = (where: any, depth: number) => {
if (depth > maxDepth) {
throw new Parse.Error(
Parse.Error.INVALID_QUERY,
`Query condition nesting depth exceeds maximum allowed depth of ${maxDepth}`
);
}
if (typeof where !== 'object' || where === null) {
return;
}
for (const op of ['$or', '$and', '$nor']) {
if (where[op] !== undefined && !Array.isArray(where[op])) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
}
if (Array.isArray(where[op])) {
for (const subQuery of where[op]) {
checkDepth(subQuery, depth + 1);
}
}
}
};
Proof of Concept
Send a subscription query or REST query with deeply nested logical operators wrapped inside field-level operators to exploit exponential processing:
```json
{
"className": "TestClass",
"where": {
"tags": {
"$elemMatch": {
"$or": [
{"$or": [
{"$or": [
{"$or": [
{"name": "x"}
]}
]}
]}
]
}
}
}
}
```
This input exceeds the queryDepth limit without the patch and causes the server to do exponential-time processing, leading to denial-of-service (server hang or severe slowdown). After the patch, the request is rejected early with an INVALID_QUERY error about nesting depth.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-17T18:03:16.522Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 1103c7a
Author: Manuel
Date: 2026-06-17T14:21:23Z
Commit Message
Pull Request
PR: #10511 - fix: Denial of service via exponential-time processing of deeply nested query operators (GHSA-cgxm-vr2f-6fj8)
Labels: state:released-alpha
Description:
Issue
Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](GHSA-cgxm-vr2f-6fj8))
Tasks
Analysis
Vulnerability Type: Denial of Service (ReDoS/Algorithmic Complexity)
Severity: High
Description
The vulnerability allowed malicious users to submit deeply nested query operators (such as nested $or conditions wrapped inside field-level operators like $elemMatch) that caused exponential-time processing. This leads to excessive CPU consumption and denial of service, effectively hanging or severely slowing the server. The patch introduces thorough query depth validation that correctly tracks nesting even under field wrapping, preventing exponential blowup and enforcing limits on query complexity.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-17T18:03:16.522Z