CVE-2026-33498
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
Patches
The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.
Workarounds
None.
AnalysisAI
Parse Server is vulnerable to a permanent denial-of-service attack that bypasses the previous CVE-2026-32944 fix. An unauthenticated attacker can send a specially crafted HTTP request containing deeply nested query structures with logical operators to permanently hang the Parse Server process, requiring manual restart. This affects parse-server npm package installations, and patches are available from the vendor.
Technical ContextAI
This vulnerability affects Parse Server, an open-source backend framework distributed via npm (pkg:npm/parse-server). The root cause is classified as CWE-674 (Uncontrolled Recursion), where the query transformation pipeline processes deeply nested logical operator structures recursively before validation guards can activate. The previous fix for CVE-2026-32944 implemented depth checking, but the validation occurred too late in the processing pipeline. The current patch relocates the nesting depth validation to occur before queries enter the transformation pipeline, preventing recursive processing of malicious structures entirely.
RemediationAI
Apply the patches provided in GitHub pull requests available at https://github.com/parse-community/parse-server/pull/10257 and https://github.com/parse-community/parse-server/pull/10258. Upgrade to the patched version of parse-server once released by monitoring the security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j for version-specific guidance. No workarounds are available according to the vendor advisory, making patching the only effective mitigation. Until patching is complete, consider implementing rate limiting and request filtering at the reverse proxy or WAF layer to detect and block requests with abnormally large or deeply nested query structures, though this is not a complete substitute for applying the official patch.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9fjp-q3c4-6w3j