CVE-2026-33508

HIGH EPSS 26.4%
Published Mar 24, 20263mo ago · Modified Jun 17, 20261w ago
8.2 CVSS 4.0
High
Find Similar
Published Mar 24, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.

CVSS Details

Base Score
8.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
26.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-674

Affected Products 46

VendorProductVersionRange
parseplatformparse-server* <8.6.56
parseplatformparse-server*≥9.0.0  –  <9.6.0
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any
parseplatformparse-server9.6.0any

References 5

  • github.com https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
    Patch
  • github.com https://github.com/parse-community/parse-server/pull/10259
    Issue Tracking
  • github.com https://github.com/parse-community/parse-server/pull/10260
    Issue Tracking
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
    Vendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
    Patch
  • github.com https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
    Patch