BIT-parse-2026-33508
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-33508.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-parse-2026-33508
- Aliases
- Published
- 2026-03-27T07:14:33.818Z
- Modified
- 2026-03-27T08:56:23.155610Z
- Summary
- Parse Server: LiveQuery subscription query depth bypass
- Details
-
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0
- Database specific
{ "severity": "High", "cpes": [ "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*" ] }- References
-
- https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
- https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
- https://github.com/parse-community/parse-server/pull/10259
- https://github.com/parse-community/parse-server/pull/10260
- https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
- https://nvd.nist.gov/vuln/detail/CVE-2026-33508
Affected packages
Bitnami / parse
Package
- Name
- parse
- Purl
- pkg:bitnami/parse
Severity
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator