CVE-2026-34573: parse-server has GraphQL complexity validator exponential fragment traversal DoS
The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options.
References
- github.com/advisories/GHSA-mfj6-6p54-m98c
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295
- github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b
- github.com/parse-community/parse-server/pull/10344
- github.com/parse-community/parse-server/pull/10345
- github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c
- nvd.nist.gov/vuln/detail/CVE-2026-34573
Code Behaviors & Features
Detect and mitigate CVE-2026-34573 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →