CVE-2026-32944 Overview
Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, contains a denial of service vulnerability in versions prior to 9.6.0-alpha.21 and 8.6.45. An unauthenticated attacker can crash the Parse Server process by sending a single request containing deeply nested query condition operators. This vulnerability terminates the server and denies service to all connected clients, making it a significant availability concern for applications relying on Parse Server.
Critical Impact
A single malicious request from an unauthenticated attacker can crash the entire Parse Server instance, causing complete service disruption for all connected clients.
Affected Products
- Parse Server versions prior to 8.6.45
- Parse Server versions 9.6.0-alpha1 through 9.6.0-alpha20
- Any Parse Server deployment on Node.js infrastructure without query depth limiting
Discovery Timeline
- 2026-03-18 - CVE-2026-32944 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32944
Vulnerability Analysis
This vulnerability (CWE-674: Uncontrolled Recursion) exists in Parse Server's query processing mechanism. The server fails to impose depth limits on nested query condition operators, allowing attackers to craft requests with extremely deep nesting structures. When the server attempts to process these deeply nested queries, it exhausts available resources and crashes.
The vulnerability is particularly concerning because it requires no authentication to exploit. Any user who can send requests to the Parse Server API can trigger the denial of service condition. The attack can be executed with a single crafted request, making it trivial to exploit and highly impactful.
Root Cause
The root cause is the absence of depth validation for query condition operators in Parse Server's request handling logic. Prior to the fix, Parse Server would recursively process query conditions without checking how deeply nested they were. This lack of boundary checking allows malicious input to trigger uncontrolled recursion, ultimately causing a stack overflow or resource exhaustion that crashes the Node.js process.
Attack Vector
The attack is conducted over the network and requires no user interaction or authentication. An attacker constructs a query request containing condition operators (such as $and, $or, $not) nested to an extreme depth. When this request is submitted to the Parse Server API endpoint, the server attempts to parse and process the deeply nested structure.
The deeply nested query causes the server to perform recursive operations that exceed safe limits, leading to a crash. Since Parse Server runs as a single Node.js process in typical deployments, this crash terminates service for all clients. The attack can be repeated continuously to maintain the denial of service condition.
Detection Methods for CVE-2026-32944
Indicators of Compromise
- Parse Server process unexpectedly terminating or restarting frequently
- Large incoming requests to Parse Server API endpoints containing deeply nested JSON structures
- Error logs indicating stack overflow or maximum call stack size exceeded
- Unusual patterns of single requests followed by immediate server crashes
Detection Strategies
- Monitor Parse Server process health and implement alerting on unexpected terminations
- Implement request logging and analyze incoming queries for abnormal nesting depth
- Deploy application-level firewalls or middleware to inspect JSON payload structure before reaching Parse Server
- Set up automated monitoring for Node.js process crashes and memory exhaustion events
Monitoring Recommendations
- Configure process managers (PM2, systemd) to alert on Parse Server restarts
- Implement log aggregation to correlate incoming requests with server crash events
- Monitor request payload sizes and JSON parsing metrics
- Set up network-level monitoring for repeated requests from the same source followed by service disruption
How to Mitigate CVE-2026-32944
Immediate Actions Required
- Upgrade Parse Server to version 8.6.45 or 9.6.0-alpha.21 or later immediately
- After upgrading, configure the requestComplexity.queryDepth server option to limit query nesting depth
- Review server logs for evidence of exploitation attempts
- Implement rate limiting on API endpoints as a temporary protective measure
Patch Information
Parse Server has released security patches in versions 8.6.45 and 9.6.0-alpha.21. These patches introduce a new server option called requestComplexity.queryDepth that limits the maximum depth of query condition operator nesting. The option is disabled by default to avoid breaking changes, so administrators must explicitly configure an appropriate depth limit after upgrading.
For detailed patch information, refer to GitHub Pull Request #10202 and GitHub Pull Request #10203. The Parse Server Security Advisory GHSA-9xp9-j92r-p88v provides additional context and guidance.
Workarounds
- No official workarounds are available according to the vendor advisory
- Consider placing a reverse proxy or API gateway in front of Parse Server to reject requests with excessive JSON nesting
- Implement network-level rate limiting to slow potential denial of service attempts
- Deploy Parse Server behind a load balancer with health checks to quickly route around crashed instances
# Configuration example after upgrading Parse Server
# Add to your Parse Server configuration
# For Parse Server 8.6.45+
# Set queryDepth to an appropriate value for your application
# Lower values provide more protection but may limit legitimate queries
const parseServer = new ParseServer({
// ... other configuration options
requestComplexity: {
queryDepth: 10 // Adjust based on your application's requirements
}
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
