CVE-2026-33498
published 2026-03-24CVE-2026-33498: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.45%
36.0th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parseplatform | parse-server | < 8.6.55 | 8.6.55 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | >= 0 < 8.6.55 | 8.6.55 |
| parseplatform | parse-server | >= 9.0.0 < 9.6.0 | 9.6.0 |
| parseplatform | parse-server | >= 9.0.0 < 9.6.0-alpha.44 | 9.6.0-alpha.44 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Parse Server has a query condition depth bypass via pre-validation transform pipeline
osv·2026-03-20·CVSS 8.7
CVE-2026-33498 [HIGH] Parse Server has a query condition depth bypass via pre-validation transform pipeline
Parse Server has a query condition depth bypass via pre-validation transform pipeline
### Impact
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
### Patches
The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.
### Workarounds
None.
GHSA
Parse Server has a query condition depth bypass via pre-validation transform pipeline
ghsa·2026-03-20·CVSS 8.7
CVE-2026-33498 [HIGH] CWE-674 Parse Server has a query condition depth bypass via pre-validation transform pipeline
Parse Server has a query condition depth bypass via pre-validation transform pipeline
### Impact
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
### Patches
The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.
### Workarounds
None.
No detection rules found.
No public exploits indexed.
https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1https://github.com/parse-community/parse-server/pull/10257https://github.com/parse-community/parse-server/pull/10258https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j
2026-03-24
Published