Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in the Parse Server's LiveQuery feature, where it fails to enforce limits on the nesting depth of query conditions in WebSocket subscription requests."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by sending subscription queries with deeply nested logical operators such as $or, $and, and $nor. This causes excessive recursion and high CPU consumption on the server.'}, {'type': 'paragraph', 'content': "As a result, the server's performance degrades or the service becomes unavailable, effectively causing a denial-of-service (DoS) condition."}, {'type': 'paragraph', 'content': 'The issue was fixed by adding a validation step that checks the nesting depth of query conditions before processing subscriptions, rejecting queries that exceed the configured maximum depth.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to disrupt the availability of your Parse Server backend.'}, {'type': 'paragraph', 'content': 'By sending subscription queries with excessively deep nesting, an attacker can cause high CPU usage and excessive recursion, which degrades server performance or causes the service to become unavailable.'}, {'type': 'paragraph', 'content': "This denial-of-service (DoS) condition can interrupt your application's real-time features that rely on LiveQuery subscriptions, potentially affecting user experience and business operations."}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring LiveQuery subscription requests to the Parse Server for deeply nested logical operators such as $or, $and, and $nor in the query conditions.

Specifically, queries that exceed the configured maximum nesting depth in the requestComplexity.queryDepth setting indicate potential exploitation attempts.

Detection can involve inspecting WebSocket subscription requests for unusually complex or deeply nested query structures.

While no explicit commands are provided in the resources, administrators can enable detailed logging on the Parse Server to capture subscription queries and analyze them for excessive nesting.

Additionally, monitoring for Parse.Error.INVALID_QUERY errors related to query condition nesting depth exceeding the allowed maximum can help identify attempted exploitations.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Parse Server to version 8.6.56 or later, or 9.6.0-alpha.45 or later, where the issue has been patched.

Ensure that the requestComplexity.queryDepth configuration setting is enabled and set to a reasonable maximum nesting depth (e.g., 10) to enforce limits on query complexity.

Avoid disabling the queryDepth check by not setting it to -1, as this disables the depth validation and leaves the server vulnerable.

If upgrading immediately is not possible, consider monitoring and blocking WebSocket subscription requests with deeply nested logical operators to reduce risk.

Useful 0 Not Useful 0