CVE-2026-32944

EPSS 0.02%

Parse Server crash via deeply nested query condition operators

Published: 3/17/2026Modified: 3/20/2026

Also known as:GHSA-9xp9-j92r-p88vBIT-parse-2026-32944

Description

### Impact An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. ### Patches A depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. ### Workarounds None.

Affected packages (2)

Bitnami/parsefrom 0, < 8.6.45, >= 9.0.0, < 9.6.0
npm/parse-server>= 9.0.0, < 9.6.0-alpha.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32944
PATCHhttps://github.com/parse-community/parse-server
WEBhttps://github.com/parse-community/parse-server/pull/10202
WEBhttps://github.com/parse-community/parse-server/pull/10203
WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v