CVE-2026-33498

HIGH

Parse Server: Query condition depth bypass via pre-validation transform pipeline

Title source: cna

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.

References (5)

[X_Refsource_Confirm] https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j

[X_Refsource_Misc] https://github.com/parse-community/parse-server/pull/10257

[X_Refsource_Misc] https://github.com/parse-community/parse-server/pull/10258

[X_Refsource_Misc] https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (5)

npm/parse-server 9.0.0 - 9.6.0-alpha.44npm

parse-community/parse-server < 8.6.55

parse-community/parse-server >= 9.0.0, < 9.6.0-alpha.44

parseplatform/parse-server 9.6.0 alpha1 (43 CPE variants)

parseplatform/parse-server < 8.6.55

Published Mar 24, 2026

Tracked Since Mar 25, 2026