CVE-2026-33498
HIGH
8,7
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
674
Uncontrolled Recursion
DraftCommon Consequences
Security Scopes Affected:
Availability
Confidentiality
Potential Impacts:
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Read Application Data
Applicable Platforms
All platforms may be affected
https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0…
https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5…
https://github.com/parse-community/parse-server/pull/10257
https://github.com/parse-community/parse-server/pull/10258
https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q…