Vulnerability in Parse-community Parse-server

CVE-2026-33498

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing…

EPSS: 0.000 (6.1th percentile) — read the EPSS interpretation.

Affected products

Parse-community Parse-server — versions < 8.6.55, >= 9.0.0, < 9.6.0-alpha.44

Weakness classification (CWE)

CWE-674 — Uncontrolled Recursion

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j (x_refsource_CONFIRM)
https://github.com/parse-community/parse-server/pull/10257 (x_refsource_MISC)
https://github.com/parse-community/parse-server/pull/10258 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5 (x_refsource_MISC)
https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1 (x_refsource_MISC)