CVE-2026-32944 in parse-server
Summary
by MITRE • 03/19/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability described in CVE-2026-32944 affects Parse Server, a popular open-source backend solution designed to run on Node.js infrastructure. This critical security flaw represents a denial-of-service condition that can be exploited by unauthenticated attackers without requiring any credentials or privileged access. The vulnerability specifically targets the server's query parsing mechanism, which processes incoming requests containing complex nested query conditions. Prior to versions 9.6.0-alpha.21 and 8.6.45, the system lacked proper safeguards against excessively nested query operators, creating a path for malicious actors to craft specially crafted requests that would cause the server process to crash completely.
The technical implementation of this vulnerability stems from inadequate input validation and processing limitations within the Parse Server's query parser. When an attacker submits a request containing deeply nested query condition operators, the server's parsing logic enters an infinite recursion or excessive memory consumption state that ultimately leads to process termination. This behavior aligns with CWE-400 vulnerability classification, which encompasses improper handling of input that can lead to resource exhaustion and system instability. The flaw demonstrates poor defensive programming practices where the system fails to implement reasonable depth limits or recursion guards when processing user-supplied data structures.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire backend infrastructure supporting applications that rely on Parse Server. When the server process terminates, all connected clients lose access to the backend services, causing widespread application downtime and potential data loss scenarios. This vulnerability particularly affects systems where Parse Server operates as a critical component of mobile or web applications, as the denial-of-service condition can persist until manual intervention occurs. The attack vector requires only a single malicious request, making it extremely dangerous in production environments where such attacks could be automated or executed by malicious actors monitoring public-facing services.
The mitigation strategy implemented in versions 9.6.0-alpha.21 and 8.6.45 introduces a configurable depth limit through the `requestComplexity.queryDepth` server option, providing administrators with the ability to tune the security boundary according to their specific application requirements. This approach follows the principle of least privilege and defensive programming by implementing rate limiting and depth constraints at the parsing layer. Organizations must actively upgrade to the patched versions and configure the new option appropriately to prevent exploitation. The default disablement of this security feature reflects a careful balance between maintaining backward compatibility and providing enhanced security, though this design choice requires active administrative engagement to achieve full protection. The vulnerability does not have any known workarounds, making the upgrade and configuration process essential for defense. This issue relates to ATT&CK technique T1499.004 which covers network denial of service attacks, and specifically targets the availability aspect of the CIA triad by compromising system uptime and service accessibility.