CVE-2026-33508 is a vulnerability classified under CWE-674 (Uncontrolled Recursion) found in the LiveQuery component of Parse Server, an open-source backend platform for Node.js environments. The flaw exists because the LiveQuery module fails to enforce the configured requestComplexity.queryDepth limit when processing WebSocket subscription requests. Attackers can craft subscription queries with deeply nested logical operators, which cause the server to enter excessive recursive processing. This uncontrolled recursion leads to high CPU utilization, which can degrade server performance or cause service outages due to resource exhaustion. The vulnerability affects Parse Server versions earlier than 8.6.56 and versions from 9.0.0 up to but not including 9.6.0-alpha.45. Exploitation requires no authentication or user interaction and can be performed remotely by sending malicious WebSocket subscription requests. The vulnerability has been assigned a CVSS 4.0 base score of 8.2, reflecting its high severity due to network attack vector, no privileges required, and high impact on availability. The issue has been addressed in versions 8.6.56 and 9.6.0-alpha.45 by enforcing the queryDepth limit to prevent excessive recursion.

The primary impact of this vulnerability is a denial-of-service condition caused by excessive CPU consumption on affected Parse Server instances. Organizations relying on Parse Server for backend services, especially those using the LiveQuery feature for real-time data synchronization, may experience degraded performance or complete service outages if targeted. This can disrupt business operations, degrade user experience, and potentially lead to cascading failures in dependent systems. Since the vulnerability can be exploited remotely without authentication, it poses a significant risk to publicly accessible Parse Server deployments. The disruption could affect web and mobile applications relying on real-time updates, impacting sectors such as technology, finance, healthcare, and any industry using Parse Server for backend infrastructure. Although no data confidentiality or integrity impact is indicated, the availability impact alone can have severe operational consequences.

Organizations should immediately upgrade Parse Server to version 8.6.56 or later, or 9.6.0-alpha.45 or later, where the vulnerability is patched. If upgrading is not immediately feasible, administrators should consider implementing network-level protections such as Web Application Firewalls (WAFs) or rate limiting to detect and block suspiciously complex or deeply nested subscription requests targeting the LiveQuery WebSocket endpoint. Monitoring CPU usage and WebSocket traffic patterns can help identify potential exploitation attempts. Additionally, configuring Parse Server to enforce strict requestComplexity.queryDepth limits and validating subscription queries before processing can reduce risk. Isolating Parse Server instances behind VPNs or restricting access to trusted networks can further limit exposure. Regularly reviewing and applying security updates from the parse-community project is essential to maintain protection against similar vulnerabilities.