Parse Server, an open-source backend platform running on Node.js, includes a LiveQuery feature that allows clients to subscribe to real-time data updates via WebSocket connections. In versions prior to 8.6.56 and 9.6.0-alpha.45, the LiveQuery component fails to enforce the configured requestComplexity.queryDepth limit when processing subscription requests. This configuration is intended to restrict the depth of nested logical operators in queries to prevent excessive resource consumption. However, due to uncontrolled recursion in the query parsing logic (classified under CWE-674: Uncontrolled Recursion), an attacker can craft subscription requests containing deeply nested logical operators that cause the server to recurse excessively. This results in high CPU usage, potentially degrading server performance or causing denial of service. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk. The issue has been addressed in versions 8.6.56 and 9.6.0-alpha.45 by properly enforcing the queryDepth limit during request processing. No public exploits have been reported yet, but the high CVSS 8.2 score reflects the significant impact on availability and ease of exploitation.

This vulnerability primarily impacts the availability of services running Parse Server with the affected LiveQuery versions. An attacker can remotely trigger excessive CPU consumption, leading to degraded performance or complete denial of service. Organizations relying on real-time data updates via LiveQuery may experience outages or slowdowns, affecting user experience and potentially causing business disruption. Since no authentication is required, attackers can exploit this vulnerability at scale, increasing the risk of widespread service interruptions. The vulnerability does not directly affect confidentiality or integrity but can indirectly impact business operations and trust. Services exposed to the internet or with insufficient network controls are at higher risk. The lack of known exploits currently provides a window for remediation before active attacks emerge.

The primary mitigation is to upgrade Parse Server to version 8.6.56 or later, or 9.6.0-alpha.45 or later, where the vulnerability is patched. Organizations should audit their Parse Server deployments to identify affected versions and plan immediate upgrades. Additionally, administrators should review and tighten the requestComplexity.queryDepth configuration to enforce reasonable limits on query complexity. Implementing Web Application Firewalls (WAFs) or rate limiting on WebSocket connections can help detect and block abnormal subscription request patterns indicative of exploitation attempts. Monitoring CPU usage and LiveQuery request logs for spikes or unusual nested query structures can provide early warning signs. Network segmentation and restricting access to LiveQuery endpoints to trusted clients can reduce exposure. Finally, maintaining an incident response plan for denial-of-service scenarios involving backend services is advisable.