Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33508

CVE-2026-33508: Parse Server LiveQuery DoS Vulnerability

CVE-2026-33508 is a denial of service flaw in Parse Server's LiveQuery component that allows attackers to cause excessive CPU consumption through deeply nested queries. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-33508 Overview

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability has been identified in Parse Server's LiveQuery component where the requestComplexity.queryDepth configuration setting is not enforced when processing WebSocket subscription requests. This allows an attacker to send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.

Critical Impact

Remote attackers can exploit this vulnerability to cause denial of service through excessive CPU consumption by sending specially crafted WebSocket subscription requests with deeply nested queries, bypassing configured query depth limits.

Affected Products

  • Parse Server versions prior to 8.6.56
  • Parse Server 9.6.0-alpha1 through 9.6.0-alpha44
  • All Node.js deployments running vulnerable Parse Server versions

Discovery Timeline

  • 2026-03-24 - CVE-2026-33508 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-33508

Vulnerability Analysis

This vulnerability (CWE-674: Uncontrolled Recursion) exists in Parse Server's LiveQuery component, which provides real-time subscription capabilities over WebSocket connections. The core issue is that the requestComplexity.queryDepth configuration parameter—designed to limit how deeply nested query structures can be—is not applied to WebSocket subscription requests handled by the LiveQuery system.

When a Parse Server instance receives a standard REST API query, it properly validates the query depth against the configured limit. However, the LiveQuery WebSocket handler processes subscription requests through a separate code path that lacks this validation. An attacker can exploit this gap by constructing subscription queries with excessively nested logical operators (such as $and, $or, and $nor), which forces the server to recursively process these deeply nested structures without any depth limitation.

Root Cause

The root cause is a missing validation check in the LiveQuery WebSocket subscription handler. While the REST API query processor enforces the requestComplexity.queryDepth setting, the LiveQuery component's subscription processing logic does not invoke the same depth validation function. This oversight creates an inconsistent security boundary where the same malicious query that would be rejected via REST is accepted when submitted as a LiveQuery subscription.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction. An attacker connects to the Parse Server's LiveQuery WebSocket endpoint and submits a subscription request containing a query with deeply nested logical operators.

The malicious subscription triggers recursive query parsing that consumes excessive CPU cycles. By crafting queries with sufficient nesting depth (e.g., hundreds or thousands of nested $and/$or operators), an attacker can cause the server to exhaust CPU resources processing the recursive structure. Multiple concurrent malicious subscriptions can amplify the impact, potentially rendering the server unresponsive to legitimate requests.

The attack does not require knowledge of the database schema or valid class names, as the recursive processing occurs during query parsing before validation of the actual data objects.

Detection Methods for CVE-2026-33508

Indicators of Compromise

  • Abnormally high CPU utilization on Parse Server nodes without corresponding increase in legitimate traffic
  • WebSocket connections with unusually large subscription payloads containing repetitive logical operators
  • Parse Server logs showing errors related to stack overflow or maximum call stack size exceeded
  • Increased connection counts to the LiveQuery WebSocket endpoint from single IP addresses

Detection Strategies

  • Monitor WebSocket subscription request sizes and flag requests exceeding normal baseline thresholds
  • Implement application-level logging to capture and analyze LiveQuery subscription query structures
  • Set up alerting for sudden CPU spikes correlated with WebSocket connection activity
  • Deploy Web Application Firewall (WAF) rules to inspect and limit deeply nested JSON structures in WebSocket messages

Monitoring Recommendations

  • Configure real-time monitoring for Parse Server process CPU and memory utilization
  • Establish baseline metrics for normal LiveQuery subscription patterns and alert on deviations
  • Log all LiveQuery WebSocket connection attempts with source IP addresses for forensic analysis
  • Monitor Node.js event loop lag as an indicator of resource exhaustion attacks

How to Mitigate CVE-2026-33508

Immediate Actions Required

  • Upgrade Parse Server to version 8.6.56 or later for stable releases
  • Upgrade to version 9.6.0-alpha.45 or later for alpha channel deployments
  • Review and tighten the requestComplexity.queryDepth configuration setting after upgrading
  • Implement rate limiting on WebSocket connections at the network or application layer

Patch Information

The Parse Server maintainers have released patches in versions 8.6.56 and 9.6.0-alpha.45 that address this vulnerability. The fixes ensure that the requestComplexity.queryDepth configuration is properly enforced for LiveQuery WebSocket subscription requests, consistent with REST API query handling.

Relevant commits and pull requests:

For detailed information, see the GitHub Security Advisory GHSA-6qh5-m6g3-xhq6.

Workarounds

  • Implement a reverse proxy or API gateway that inspects and limits the complexity of WebSocket messages before they reach Parse Server
  • Configure network-level rate limiting on the LiveQuery WebSocket endpoint to reduce the impact of exploitation attempts
  • Temporarily disable LiveQuery functionality if not essential to operations until patches can be applied
  • Deploy Parse Server behind a load balancer with health checks that can automatically restart unresponsive instances
bash
# Example nginx configuration for rate limiting WebSocket connections
# Add to your nginx server block handling Parse Server LiveQuery

limit_conn_zone $binary_remote_addr zone=ws_conn:10m;
limit_req_zone $binary_remote_addr zone=ws_req:10m rate=10r/s;

location /parse/liveQuery {
    limit_conn ws_conn 5;
    limit_req zone=ws_req burst=20 nodelay;
    
    proxy_pass http://parse-server:1337;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne