Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
PUBLISHED5.2CWE-674
Parse Server: LiveQuery subscription query depth bypass
Problem type
Affected products
parse-community
parse-server
< 8.6.56 - AFFECTED
>= 9.0.0, < 9.6.0-alpha.45 - AFFECTED
References
https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6
https://github.com/parse-community/parse-server/pull/10259
https://github.com/parse-community/parse-server/pull/10259
https://github.com/parse-community/parse-server/pull/10260
https://github.com/parse-community/parse-server/pull/10260
https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899
https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b
GitHub Security Advisories
GHSA-6qh5-m6g3-xhq6
Parse Server LiveQuery subscription query depth bypass
https://github.com/advisories/GHSA-6qh5-m6g3-xhq6Impact
Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.
Deployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients.
Patches
The fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same requestComplexity.queryDepth limit that already protects REST API queries.
Workarounds
There is no known workaround other than upgrading.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-33508Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-33508",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-24T18:21:08.477Z",
"dateReserved": "2026-03-20T16:59:08.889Z",
"datePublished": "2026-03-24T18:21:08.477Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-24T18:21:08.477Z"
},
"title": "Parse Server: LiveQuery subscription query depth bypass",
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45."
}
],
"affected": [
{
"vendor": "parse-community",
"product": "parse-server",
"versions": [
{
"version": "< 8.6.56",
"status": "affected"
},
{
"version": ">= 9.0.0, < 9.6.0-alpha.45",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-674: Uncontrolled Recursion",
"cweId": "CWE-674",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6",
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/parse-community/parse-server/pull/10259",
"name": "https://github.com/parse-community/parse-server/pull/10259",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/parse-community/parse-server/pull/10260",
"name": "https://github.com/parse-community/parse-server/pull/10260",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899",
"name": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b",
"name": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}