CVE-2026-33508
published 2026-03-24CVE-2026-33508: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.34%
26.3th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.56 | 8.6.56 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.56 | 8.6.56 |
| parse-community | parse-server | >= 9.0.0 < 9.6.0-alpha.45 | 9.6.0-alpha.45 |
| parseplatform | parse-server | < 8.6.56 | 8.6.56 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | >= 9.0.0 < 9.6.0 | 9.6.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Parse Server LiveQuery subscription query depth bypass
ghsa·2026-03-20
CVE-2026-33508 [HIGH] CWE-674 Parse Server LiveQuery subscription query depth bypass
Parse Server LiveQuery subscription query depth bypass
### Impact
Parse Server's LiveQuery component does not enforce the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.
Deployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients.
### Patches
The fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same `requestComplexity.queryDepth` limit that already protects REST API queries.
### Workarounds
There is no known workaround other than upgrading.
OSV
Parse Server LiveQuery subscription query depth bypass
osv·2026-03-20
CVE-2026-33508 [HIGH] Parse Server LiveQuery subscription query depth bypass
Parse Server LiveQuery subscription query depth bypass
### Impact
Parse Server's LiveQuery component does not enforce the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.
Deployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients.
### Patches
The fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same `requestComplexity.queryDepth` limit that already protects REST API queries.
### Workarounds
There is no known workaround other than upgrading.
No detection rules found.
No public exploits indexed.
https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159bhttps://github.com/parse-community/parse-server/pull/10259https://github.com/parse-community/parse-server/pull/10260https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
2026-03-24
Published