PT-2026-26791 · Unknown · Parse Server
Mith36
·
Publicado
2026-03-20
·
Atualizado
2026-03-27
·
CVE-2026-33508
CVSS v4.0
8.2
Alta
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 8.6.56
Parse Server versions prior to 9.6.0-alpha.45
Description
Parse Server’s LiveQuery component does not enforce the
requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This affects deployments where the LiveQuery WebSocket endpoint is reachable by untrusted clients.Recommendations
Upgrade to Parse Server version 8.6.56 or later.
Upgrade to Parse Server version 9.6.0-alpha.45 or later.
Exploit
Correção
Uncontrolled Recursion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Parse Server