CVE-2026-33508

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

CVE-2026-33508 Parse Server: LiveQuery subscription query depth bypass

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

CVE-2026-33429 Parse Server: Protected field change detection oracle via LiveQuery watch parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped...

CVE-2026-33429

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped...

CVE-2026-33429

Parse Server exposes a protected-field information leak via LiveQuery watch parameter. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe with watch targeting a protected field; while the field value is stripped from payloads, the presence or absence of update events creates a...

CVE-2026-33429 Parse Server: Protected field change detection oracle via LiveQuery watch parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped...

CVE-2026-33421

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

CVE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

CVE-2026-33421

Parse Server’s LiveQuery WebSocket interface historically did not enforce Class-Level Permission pointer permissions (readUserFields and pointerFields) prior to versions 8.6.53 and 9.6.0-alpha.42. Any authenticated user could subscribe to LiveQuery events and receive real-time updates for objects...

CVE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.53 and 9.6.0-alpha.42. These vulnerabilities stemmed from the LiveQuery WebSocket...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.56 and 9.6.0-alpha.45. These vulnerabilities stemmed from the LiveQuery component no...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.54 and 9.6.0-alpha.43. These vulnerabilities allowed attackers to infer changes in...

Uncontrolled Recursion

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

GHSA-6QH5-M6G3-XHQ6 Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the watch parameter in LiveQuery subscriptions targeting protected fields. An attacker can infer...

GHSA-QPC3-FG4J-8HGM Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Impact An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolea...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker...

GHSA-FPH2-R4QG-9576 Parse Server's LiveQuery bypasses CLP pointer permission enforcement

Impact Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions,...