EXECUTIVE SUMMARY:
CVE-2026-47138 with a CVSS score of 8.7 is a pre-authentication denial of service vulnerability affecting versions of npm/parse-server, specifically those greater than or equal to 9.0.0 and less than 9.9.1-alpha.1, as well as versions less than 8.6.77. This vulnerability can be exploited by an unauthenticated attacker who submits a specially crafted HTTP request with a malicious client SDK version header that triggers polynomial backtracking in the request-header parser, consuming CPU resources on the Node.js worker before any access control is evaluated. An attacker can exploit this vulnerability via the client SDK version header or the `_ClientVersion` JSON body field, requiring no access to the system. Successful exploitation allows the attacker to cause a denial of service, resulting in significant business impact and consequences, including resource saturation and prolonged worker pinning, which can lead to service unavailability and compromised system performance. The exploitation of this vulnerability may be facilitated by publicly known Parse Application IDs and requires no authentication.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47138 with a CVSS score of 8.7 is a pre-authentication denial of service vulnerability affecting versions of npm/parse-server, specifically those greater than or equal to 9.0.0 and less than 9.9.1-alpha.1, as well as versions less than 8.6.77. This vulnerability can be exploited by an unauthenticated attacker who submits a specially crafted HTTP request with a malicious client SDK version header that triggers polynomial backtracking in the request-header parser, consuming CPU resources on the Node.js worker before any access control is evaluated. An attacker can exploit this vulnerability via the client SDK version header or the `_ClientVersion` JSON body field, requiring no access to the system. Successful exploitation allows the attacker to cause a denial of service, resulting in significant business impact and consequences, including resource saturation and prolonged worker pinning, which can lead to service unavailability and compromised system performance. The exploitation of this vulnerability may be facilitated by publicly known Parse Application IDs and requires no authentication.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-38m6-82c8-4xfm