{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-47138/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["parse-server"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","regex-backtracking","CVE-2026-47138"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eParse Server is susceptible to a denial-of-service (DoS) attack due to inefficient regular expression parsing of the client SDK version. The vulnerability, identified as CVE-2026-47138, affects Parse Server versions prior to 8.6.77 and versions 9.0.0 to 9.9.1-alpha.1. An unauthenticated attacker can exploit this by sending a specially crafted HTTP request to the \u003ccode\u003e/parse/*\u003c/code\u003e endpoint. This request contains a malicious client SDK version in either the \u003ccode\u003eX-Parse-Client-Version\u003c/code\u003e header or the \u003ccode\u003e_ClientVersion\u003c/code\u003e field within the JSON request body. The vulnerability stems from polynomial backtracking in the regex parser, causing excessive CPU consumption. A small number of concurrent requests can saturate a worker, leading to a denial-of-service condition. This issue is pre-authentication, meaning an attacker does not need valid credentials to trigger it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible Parse Server instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request targeting the \u003ccode\u003e/parse/*\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a malicious string in the \u003ccode\u003eX-Parse-Client-Version\u003c/code\u003e header of the request, designed to trigger polynomial backtracking in the server\u0026rsquo;s regex parser. Alternatively, the \u003ccode\u003e_ClientVersion\u003c/code\u003e field can be included in the JSON body.\u003c/li\u003e\n\u003cli\u003eThe Parse Server receives the request and attempts to parse the \u003ccode\u003eX-Parse-Client-Version\u003c/code\u003e header (or \u003ccode\u003e_ClientVersion\u003c/code\u003e body field) using a vulnerable regular expression.\u003c/li\u003e\n\u003cli\u003eThe crafted malicious input causes the regex parser to enter a computationally expensive backtracking loop.\u003c/li\u003e\n\u003cli\u003eThis loop consumes significant CPU resources on the server\u0026rsquo;s Node.js worker.\u003c/li\u003e\n\u003cli\u003eMultiple concurrent requests from the attacker exhaust the CPU resources of the available workers.\u003c/li\u003e\n\u003cli\u003eLegitimate requests to the Parse Server are delayed or dropped, resulting in a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-47138 can lead to a denial-of-service condition, rendering the Parse Server unavailable to legitimate users. This can disrupt applications relying on the server and negatively impact business operations. The vulnerability is easily exploitable by unauthenticated attackers who know a publicly known Parse Application ID, making it a significant threat to production deployments running the default configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Parse Server to version 8.6.77 or later, or version 9.9.1-alpha.1 or later to remediate CVE-2026-47138.\u003c/li\u003e\n\u003cli\u003eDeploy a reverse proxy or Web Application Firewall (WAF) to strip the \u003ccode\u003eX-Parse-Client-Version\u003c/code\u003e header AND the \u003ccode\u003e_ClientVersion\u003c/code\u003e field in JSON request bodies on every \u003ccode\u003e/parse/*\u003c/code\u003e route before forwarding to the server, as mentioned in the workaround.\u003c/li\u003e\n\u003cli\u003eImplement strict size limits on request headers and bodies via the reverse proxy or WAF, even after patching.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Malicious Parse Client Version Header\u003c/code\u003e to identify exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-23T00:14:48Z","date_published":"2026-05-23T00:14:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-parse-server-dos/","summary":"A denial-of-service vulnerability, CVE-2026-47138, exists in Parse Server due to inefficient regular expression handling of the client SDK version field in HTTP requests, allowing an unauthenticated attacker to exhaust server resources by sending a crafted request with a malicious `X-Parse-Client-Version` header or `_ClientVersion` body field.","title":"Parse Server Pre-authentication Denial of Service via Client Version Header","url":"https://feed.craftedsignal.io/briefs/2026-05-parse-server-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-47138","version":"https://jsonfeed.org/version/1.1"}