Vulnerability in LiveQuery Component of Parse Server Affects Node.js Deployments
CVE-2026-33508

8.2HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33508?

The LiveQuery component of Parse Server, which operates on Node.js, is susceptible to exploitation due to a failure in enforcing the requestComplexity.queryDepth setting. Prior to the release of versions 8.6.56 and 9.6.0-alpha.45, an attacker could craft a WebSocket subscription request that includes deeply nested logical operators. This could lead to excessive recursion and consumption of CPU resources, potentially causing service disruptions. The issue has been thoroughly addressed in the updated versions, underscoring the importance of applying the latest patches to ensure service reliability and security.

Affected Version(s)

parse-server < 8.6.56 < 8.6.56

parse-server >= 9.0.0, < 9.6.0-alpha.45 < 9.0.0, 9.6.0-alpha.45

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10259
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10260
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.