Skip to content

[Vulnerability] parse-community/parse-server: Denial of Service (ReDoS/Algorithmic Complexity) #578

Description

@github-actions

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: 1103c7a
Author: Manuel
Date: 2026-06-17T14:21:23Z

Commit Message

fix: Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8)) (#10511)

Pull Request

PR: #10511 - fix: Denial of service via exponential-time processing of deeply nested query operators (GHSA-cgxm-vr2f-6fj8)
Labels: state:released-alpha

Description:

Issue

Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](GHSA-cgxm-vr2f-6fj8))

Tasks

  • Add tests
  • Add changes to documentation (guides, repository pages, code comments)
  • Add security check
  • Add new Parse Error codes to Parse JS SDK

Analysis

Vulnerability Type: Denial of Service (ReDoS/Algorithmic Complexity)
Severity: High

Description

The vulnerability allowed malicious users to submit deeply nested query operators (such as nested $or conditions wrapped inside field-level operators like $elemMatch) that caused exponential-time processing. This leads to excessive CPU consumption and denial of service, effectively hanging or severely slowing the server. The patch introduces thorough query depth validation that correctly tracks nesting even under field wrapping, preventing exponential blowup and enforcing limits on query complexity.

Affected Code

const checkDepth = (where: any, depth: number) => {
  if (depth > maxDepth) {
    throw new Parse.Error(
      Parse.Error.INVALID_QUERY,
      `Query condition nesting depth exceeds maximum allowed depth of ${maxDepth}`
    );
  }
  if (typeof where !== 'object' || where === null) {
    return;
  }
  for (const op of ['$or', '$and', '$nor']) {
    if (where[op] !== undefined && !Array.isArray(where[op])) {
      throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
    }
    if (Array.isArray(where[op])) {
      for (const subQuery of where[op]) {
        checkDepth(subQuery, depth + 1);
      }
    }
  }
};

Proof of Concept

Send a subscription query or REST query with deeply nested logical operators wrapped inside field-level operators to exploit exponential processing:

`​`​`​json
{
  "className": "TestClass",
  "where": {
    "tags": {
      "$elemMatch": {
        "$or": [
          {"$or": [
            {"$or": [
              {"$or": [
                {"name": "x"}
              ]}
            ]}
          ]}
        ]
      }
    }
  }
}
`​`​`​

This input exceeds the queryDepth limit without the patch and causes the server to do exponential-time processing, leading to denial-of-service (server hang or severe slowdown). After the patch, the request is rejected early with an INVALID_QUERY error about nesting depth.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-17T18:03:16.522Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions