EUVD-2026-13917
GHSA-6qh5-m6g3-xhq6
GHSA-96qp-8cmq-jvq8
GHSA-hgx2-28f8-6g2r
GHSA-r7mc-x6x7-cqxx
GHSA-v2hr-chj5-35fh
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
### Impact Parse Server's LiveQuery component does not enforce the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. Deployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients. ### Patches The fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same `requestComplexity.queryDepth` limit that already protects REST API queries. ### Workarounds There is no known workaround other than upgrading.
Analysis
Parse Server's LiveQuery component fails to enforce query depth limits on WebSocket subscription requests, allowing attackers to send deeply nested logical operators that trigger excessive recursion and CPU consumption. This affects Parse Server deployments where the LiveQuery WebSocket endpoint is accessible to untrusted clients (pkg:npm/parse-server). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all Parse Server instances with LiveQuery enabled and assess internet exposure; temporarily restrict WebSocket access to trusted networks if possible. Within 7 days: apply the vendor patch across all affected Parse Server deployments in a staged rollout. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today