CVE-2026-33498
Published: 24 March 2026
Summary
CVE-2026-33498 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates the vulnerability by applying patches to Parse Server versions 8.6.55 or 9.6.0-alpha.44 that fix the uncontrolled recursion in query processing.
Denial-of-service protection implements mechanisms like request throttling or filtering to block specially crafted deeply nested queries that hang the server process.
Information input validation scrutinizes HTTP query parameters for deeply nested logical operators, preventing uncontrolled recursion and server hangs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes unauthenticated remote exploitation of a public Parse Server via crafted HTTP query causing indefinite hang through uncontrolled recursion (CWE-674), matching T1499.004 Application or System Exploitation for Endpoint DoS.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators…
more
to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
Deeper analysisAI
CVE-2026-33498 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js-compatible infrastructure. In versions prior to 8.6.55 and 9.6.0-alpha.44, the issue allows an unauthenticated HTTP request containing a deeply nested query with logical operators to cause the Parse Server process to hang indefinitely. This renders the server completely unresponsive, necessitating a manual restart, and represents a bypass of the mitigation for the related CVE-2026-32944. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-674 (Uncontrolled Recursion).
Any unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Parse Server instance accessible over the network. Successful exploitation leads to a permanent denial of service, as the server process becomes unresponsive without consuming excessive resources beyond the recursive query processing, forcing administrators to restart the service manually.
The issue has been addressed in Parse Server versions 8.6.55 and 9.6.0-alpha.44, with patches detailed in GitHub commits 2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5 and 85994eff9e7b34cac7e1a2f5791985022a1461d1, as well as pull requests 10257 and 10258. Security practitioners should upgrade to these fixed versions immediately, as outlined in the official advisory at GHSA-9fjp-q3c4-6w3j.
Details
- CWE(s)