CVE-2026-33508
Published: 24 March 2026
Summary
CVE-2026-33508 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of query depth in WebSocket subscription requests to block deeply nested logical operators that trigger uncontrolled recursion and CPU exhaustion.
Protects against denial-of-service by limiting effects of resource exhaustion from malicious WebSocket subscriptions with excessive complexity.
Remediates the LiveQuery flaw by timely patching to enforce requestComplexity.queryDepth during WebSocket processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Parse Server LiveQuery enables remote unauthenticated attackers to trigger DoS via crafted WebSocket requests causing uncontrolled recursion and resource exhaustion, directly mapping to exploitation of public-facing apps (T1190) and endpoint DoS via application/system exploitation (T1499.004).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests.…
more
An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
Deeper analysisAI
CVE-2026-33508 affects Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. The vulnerability resides in the LiveQuery component, which fails to enforce the requestComplexity.queryDepth configuration setting during WebSocket subscription request processing in versions prior to 8.6.56 and 9.6.0-alpha.45. This flaw, classified under CWE-674 (Uncontrolled Recursion), enables an attacker to submit a subscription request containing deeply nested logical operators, triggering excessive recursion and high CPU consumption that leads to service degradation or denial of service. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its availability impact.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and sending a malicious WebSocket subscription request with nested operators exceeding the intended query depth limits, the attacker induces unbounded recursion in the LiveQuery processing logic, resulting in resource exhaustion and potential disruption of Parse Server's availability for legitimate users.
Parse Server maintainers have addressed the issue in versions 8.6.56 and 9.6.0-alpha.45, where the LiveQuery component now properly enforces the requestComplexity.queryDepth setting. Security practitioners should upgrade to these patched versions immediately. Detailed patch information is available in GitHub commits 060d27053fb0fadf613c25aabab7fe0c82b7a899 and 2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b, pull requests #10259 and #10260, and the security advisory at GHSA-6qh5-m6g3-xhq6.
Details
- CWE(s)