CVE-2026-33508
UNKNOWN
NVD
CVSS Score
0
Severity
UNKNOWN
Published
Mar 24, 2026
Vendor
unknown
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
References
- https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
- https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
- https://github.com/parse-community/parse-server/pull/10259
- https://github.com/parse-community/parse-server/pull/10260
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6