CVE-2026-32944

216.73.217.22

· Published 18/03/2026 22:16 · Modified 19/03/2026 16:46

Labels: CVE-2026-32944 2026-03-18 CVE-2026-32944 CWE-674 [email protected]

Essential information

Published: 18/03/2026 22:16
Modified: 19/03/2026 16:46
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server::::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server::::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8::::node.js::*`
parseplatform / parse-server	`cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9::::node.js::*`