CVE-2026-32944
EUVD-2026-1299218.03.2026, 22:16
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| parseplatform | parse-server | 𝑥 < 8.6.45 |
| parseplatform | parse-server | 9.0.0 ≤ 𝑥 < 9.6.0 |
| parseplatform | parse-server | 9.6.0:alpha1 |
| parseplatform | parse-server | 9.6.0:alpha10 |
| parseplatform | parse-server | 9.6.0:alpha11 |
| parseplatform | parse-server | 9.6.0:alpha12 |
| parseplatform | parse-server | 9.6.0:alpha13 |
| parseplatform | parse-server | 9.6.0:alpha14 |
| parseplatform | parse-server | 9.6.0:alpha15 |
| parseplatform | parse-server | 9.6.0:alpha16 |
| parseplatform | parse-server | 9.6.0:alpha17 |
| parseplatform | parse-server | 9.6.0:alpha18 |
| parseplatform | parse-server | 9.6.0:alpha19 |
| parseplatform | parse-server | 9.6.0:alpha2 |
| parseplatform | parse-server | 9.6.0:alpha20 |
| parseplatform | parse-server | 9.6.0:alpha3 |
| parseplatform | parse-server | 9.6.0:alpha4 |
| parseplatform | parse-server | 9.6.0:alpha5 |
| parseplatform | parse-server | 9.6.0:alpha6 |
| parseplatform | parse-server | 9.6.0:alpha7 |
| parseplatform | parse-server | 9.6.0:alpha8 |
| parseplatform | parse-server | 9.6.0:alpha9 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration