CVE-2026-33508 in parse-server
Summary
by MITRE • 03/24/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-33508 affects Parse Server versions prior to 8.6.56 and 9.6.0-alpha.45, specifically targeting the LiveQuery component's handling of WebSocket subscription requests. This represents a critical security flaw that undermines the system's ability to maintain service availability under malicious input conditions. The issue stems from insufficient validation of request complexity parameters within the LiveQuery subsystem, creating an avenue for attackers to exploit the system's recursive processing capabilities.
The technical flaw manifests through the improper enforcement of the requestComplexity.queryDepth configuration setting, which is designed to limit the depth of nested logical operators in queries. When attackers submit subscription requests containing deeply nested logical operators, the system processes these requests without adequate depth restrictions, leading to excessive recursion patterns. This recursive processing consumes disproportionate CPU resources and can escalate to complete service disruption. The vulnerability specifically impacts WebSocket connections used by the LiveQuery feature, which enables real-time data synchronization between clients and the server.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially causing complete service outages. Attackers can exploit this weakness to perform resource exhaustion attacks that consume CPU cycles and memory resources at an alarming rate. The recursive nature of the processing means that even relatively small subscription requests can trigger substantial computational overhead, making the system vulnerable to denial-of-service conditions. This vulnerability directly affects Parse Server deployments that rely on LiveQuery functionality for real-time data updates and notifications.
Mitigation strategies should prioritize immediate deployment of patched versions 8.6.56 and 9.6.0-alpha.45, which properly enforce the queryDepth configuration setting. System administrators should also implement additional monitoring for unusual WebSocket activity patterns and establish rate limiting mechanisms for LiveQuery subscription requests. The vulnerability aligns with CWE-400, which covers excessive resource consumption, and relates to ATT&CK technique T1499.004 for resource exhaustion attacks. Organizations should also consider implementing request validation layers and configuring appropriate timeouts to prevent recursive processing from consuming excessive system resources. The fix addresses the core issue by ensuring that the requestComplexity.queryDepth parameter is properly enforced during WebSocket subscription processing, thereby preventing attackers from exploiting the recursion vulnerability.