logo

Database

Asymmetric denial of service In parse-server

Description

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Impact

An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.

Patches

The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.

Workarounds

There is no known workaround other than upgrading.

Resources

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-335382. NVD-2026-335383. OSV-2026-335384. GHSA-g4cf-xj29-wqqr5. GCVE-2026-33538

References

1. https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr2. https://github.com/parse-community/parse-server/pull/102703. https://github.com/parse-community/parse-server/pull/10271

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.