CVE-2026-30946: Parse Server API Complexity DoS

The vulnerability lies in the absence of complexity validation for incoming queries in both the REST and GraphQL APIs of Parse Server. An unauthenticated attacker could craft queries that are either deeply nested or excessively broad, consuming significant server resources (CPU, memory) and leading to a denial-of-service.

For the REST API, the vulnerability is addressed by introducing checks within the query processing logic in src/RestQuery.js. Specifically:

1. The _UnsafeRestQuery.execute function now validates the number and depth of include paths.
2. The _UnsafeRestQuery.buildRestWhere function now checks the nesting depth of subqueries ($inQuery, $notInQuery, $select, $dontSelect).
3. The recursive functions that handle these subqueries (replaceInQuery, etc.) were modified to track the nesting depth.

For the GraphQL API, the fix involves adding a new Apollo Server plugin (createComplexityValidationPlugin) during the server’s initialization in src/GraphQL/ParseGraphQLServer.js. This plugin inspects each incoming GraphQL query’s abstract syntax tree (AST) to calculate its complexity (depth and number of fields) and rejects any query that exceeds the configured limits.

By adding these checks, the patch mitigates the denial-of-service vector by rejecting overly complex queries before they can exhaust server resources.