CVE-2026-32944
Denial of Service via Deeply Nested Queries in Parse Server
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | to 8.6.45 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Parse Server to version 9.6.0-alpha.21 or 8.6.45 or later.
After upgrading, enable and configure the `requestComplexity.queryDepth` server option to set a depth limit for query condition operator nesting appropriate for your application.
Note that this option is disabled by default to avoid breaking changes, so it must be explicitly enabled.
No known workarounds are available.
Can you explain this vulnerability to me?
This vulnerability affects Parse Server, an open source backend for Node.js. Before versions 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker could send a single request containing deeply nested query condition operators that would crash the Parse Server process. This crash terminates the server, causing a denial of service to all connected clients.
To address this, a depth limit for query condition operator nesting was introduced via the `requestComplexity.queryDepth` server option starting in the fixed versions. However, this option is disabled by default to avoid breaking changes, so upgrading and enabling this option with an appropriate value is necessary to mitigate the issue.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) by crashing the Parse Server process when it receives a specially crafted request with deeply nested query conditions. This results in the server terminating and all connected clients losing service until the server is restarted or fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know