Lucene search
K

7 matches found

OSV
OSV
added 2026/07/08 8:53 p.m.4 views

CVE-2026-57480 Parse Server: Denial of service via exponential-time processing of deeply nested query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the...

8.7CVSS6.1AI score0.00335EPSS
Exploits0References9
OSV
OSV
added 2026/06/24 3:50 p.m.2 views

CVE-2026-54297 Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nestin...

7.5CVSS7.1AI score0.00391EPSS
Exploits1References6
OSV
OSV
added 2026/03/27 7:14 a.m.1 views

BIT-PARSE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. Th...

8.7CVSS5.8AI score0.00452EPSS
Exploits0References6
Snyk
Snyk
added 2026/03/20 8:56 p.m.6 views

Uncontrolled Recursion

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the pre-validation transform pipeline. An attacker can cause the server process to become...

8.7CVSS5.8AI score0.00452EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 8:56 p.m.4 views

GHSA-9FJP-Q3C4-6W3J Parse Server has a query condition depth bypass via pre-validation transform pipeline

Impact An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. Patches The...

8.7CVSS5.9AI score0.00452EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/17 12:0 a.m.6 views

PT-2026-26165

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...

8.7CVSS5.7AI score0.00483EPSS
Exploits0References9
CVE
CVE
added 2025/12/22 9:35 p.m.14 views

CVE-2021-47713

Affected software: Hasura GraphQL Engine, version 1.3.3. Vulnerability: Denial-of-service via crafted GraphQL queries with excessively nested fields, enabling an attacker to use long query strings and multi-threaded requests to exhaust server resources and potentially crash the GraphQL endpoint. ...

8.7CVSS6.4AI score0.00405EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder