Parse Server is an open-source backend framework that runs on Node.js and is widely used to build scalable applications. CVE-2026-32944 is a vulnerability classified under CWE-674 (Uncontrolled Recursion) affecting parse-server versions >= 9.0.0 and < 9.6.0-alpha.21, as well as versions below 8.6.45. The vulnerability arises because parse-server does not limit the depth of nested query condition operators in incoming requests. An attacker can craft a single malicious request with excessively deep nesting of query operators, causing the server to enter uncontrolled recursive processing. This recursion exhausts server resources, leading to a crash of the parse-server process and resulting in a denial of service (DoS) condition. The attack requires no authentication or user interaction, making it trivially exploitable remotely over the network. To address this, parse-server versions 9.6.0-alpha.21 and 8.6.45 introduced a new configuration option, requestComplexity.queryDepth, which enforces a maximum allowed depth for query nesting. However, this option is disabled by default to avoid breaking existing applications, so administrators must explicitly enable and configure it. No alternative workarounds are available, emphasizing the importance of upgrading and configuring the depth limit. The vulnerability has a CVSS 4.0 score of 8.7, indicating a high severity due to its network attack vector, lack of required privileges or user interaction, and its impact on availability.

The primary impact of this vulnerability is a denial of service affecting availability. Organizations running vulnerable parse-server versions are at risk of having their backend services abruptly terminated by a single malicious request, causing downtime and disruption to all connected clients. This can lead to loss of business continuity, degraded user experience, and potential cascading failures in dependent systems. Since parse-server is often used in mobile and web application backends, the impact can extend to customer-facing services, potentially damaging reputation and trust. The ease of exploitation—no authentication or user interaction required—makes this vulnerability attractive for attackers aiming to disrupt services. While no known exploits are currently reported in the wild, the simplicity of the attack vector suggests that exploitation could emerge rapidly. Organizations with parse-server deployments in critical infrastructure or high-availability environments face increased operational risk. Additionally, repeated exploitation attempts could lead to resource exhaustion and increased operational costs due to recovery efforts.

To mitigate this vulnerability, organizations should immediately upgrade parse-server to version 9.6.0-alpha.21 or later, or 8.6.45 or later, where the fix is implemented. After upgrading, administrators must explicitly enable and configure the requestComplexity.queryDepth option to enforce a sensible maximum depth for query condition nesting based on their application's expected query complexity. This setting prevents maliciously crafted requests from triggering uncontrolled recursion. It is critical to test this configuration in staging environments to avoid breaking legitimate queries. Network-level protections such as Web Application Firewalls (WAFs) can be tuned to detect and block requests with suspiciously deep or complex query structures, providing an additional layer of defense. Monitoring and alerting on parse-server crashes or unusual request patterns can help detect exploitation attempts early. Since no workarounds exist, patching and configuration are the only effective defenses. Organizations should also review their incident response plans to handle potential DoS incidents and ensure rapid recovery.