Skip to main content

CVE-2026-33498

HIGH
Uncontrolled Recursion (CWE-674)
2026-03-20 https://github.com/parse-community/parse-server GHSA-9fjp-q3c4-6w3j
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
Patch released
Mar 20, 2026 - 21:01 nvd
Patch available
CVE Published
Mar 20, 2026 - 20:56 nvd
HIGH 8.7

DescriptionGitHub Advisory

Impact

An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.

Patches

The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.

Workarounds

None.

AnalysisAI

Parse Server is vulnerable to a permanent denial-of-service attack that bypasses the previous CVE-2026-32944 fix. An unauthenticated attacker can send a specially crafted HTTP request containing deeply nested query structures with logical operators to permanently hang the Parse Server process, requiring manual restart. This affects parse-server npm package installations, and patches are available from the vendor.

Technical ContextAI

This vulnerability affects Parse Server, an open-source backend framework distributed via npm (pkg:npm/parse-server). The root cause is classified as CWE-674 (Uncontrolled Recursion), where the query transformation pipeline processes deeply nested logical operator structures recursively before validation guards can activate. The previous fix for CVE-2026-32944 implemented depth checking, but the validation occurred too late in the processing pipeline. The current patch relocates the nesting depth validation to occur before queries enter the transformation pipeline, preventing recursive processing of malicious structures entirely.

RemediationAI

Apply the patches provided in GitHub pull requests available at https://github.com/parse-community/parse-server/pull/10257 and https://github.com/parse-community/parse-server/pull/10258. Upgrade to the patched version of parse-server once released by monitoring the security advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j for version-specific guidance. No workarounds are available according to the vendor advisory, making patching the only effective mitigation. Until patching is complete, consider implementing rate limiting and request filtering at the reverse proxy or WAF layer to detect and block requests with abnormally large or deeply nested query structures, though this is not a complete substitute for applying the official patch.

Share

CVE-2026-33498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy