Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
Published: 2026-03-24
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch immediately
AI Analysis

Impact

Parse Server’s LiveQuery component allows clients to subscribe to real‑time data over WebSockets. Before version 8.6.56 and 9.6.0‑alpha.45 the component ignored the requestComplexity.queryDepth configuration. An attacker can submit a subscription query that nests logical operators to a depth that exceeds the configured limit, forcing the server to recurse deeply and consume excessive CPU resources. This results in service degradation or unavailability for legitimate users. The vulnerability is a severe denial‑of‑service flaw (CWE‑674).

Affected Systems

The affected product is the open‑source Parse Server developed by parse-community. The vulnerability applies to all runs of Parse Server before version 8.6.56 and prior to the 9.6.0‑alpha.45 release. The patch is included in those two releases and later versions. Update to a patched version to eliminate the problem.

Risk and Exploitability

The CVSS score is 8.2, indicating high severity. The EPSS score is below 1 %, suggesting exploitation is unlikely but still possible. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to send a crafted WebSocket subscription carrying deeply nested logical operators, which is inferred from the description. The attack can be carried out over any publicly reachable WebSocket endpoint that hosts LiveQuery, so best practice is to keep the service updated and/or restrict or disable LiveQuery when not needed.

Generated by OpenCVE AI on March 25, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Parse Server to version 8.6.56 or later (including 9.6.0‑alpha.45) to apply the fix.
  • If updating immediately is not feasible, temporarily disable the LiveQuery feature or configure requestComplexity.queryDepth to a low value to prevent deep recursion.
  • Monitor server CPU usage for unusual spikes and verify that WebSocket subscription handling remains within acceptable limits.

Generated by OpenCVE AI on March 25, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6qh5-m6g3-xhq6 Parse Server LiveQuery subscription query depth bypass
History

Wed, 25 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha24:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha25:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha26:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha27:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha28:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha29:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha30:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha31:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha32:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha33:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha34:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha35:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha36:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha37:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha38:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha39:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha40:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha41:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha42:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha43:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha44:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 24 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
Title Parse Server: LiveQuery subscription query depth bypass
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:28:29.657Z

Reserved: 2026-03-20T16:59:08.889Z

Link: CVE-2026-33508

cve-icon Vulnrichment

Updated: 2026-03-25T13:57:16.414Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T19:16:54.220

Modified: 2026-03-25T21:21:17.480

Link: CVE-2026-33508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:58Z

Weaknesses