7.5 CVE-2026-32944
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.
https://nvd.nist.gov/vuln/detail/CVE-2026-32944
Categories
CWE-674 : Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. Increase the stack size. Deeply nested arrays trigger stack exhaustion. Self-referencing pointers create infinite loop and resultant stack exhaustion. Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition. An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition. USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion.
References
security-advisories@github.com
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| parse-community |
parse-server |
- >= 9.0.0, < 9.6.0-alpha.21 [affected]
- < 8.6.45 [affected]
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* |
|
< 8.6.45 |
| cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* |
>= 9.0.0 |
< 9.6.0 |
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:* |
|
|
| cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:* |
|
|
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 230 |
Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side. An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system. |
High |
| 231 |
Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution. An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side. An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system. |
High |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
