HIGH 7.5
GHSA-9fjp-q3c4-6w3j
Parse Server has a query condition depth bypass via pre-validation transform pipeline
상세
### Impact
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
### Patches
The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.
### Workarounds
None.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-33498 [ADVISORY]
- https://github.com/parse-community/parse-server/pull/10257 [WEB]
- https://github.com/parse-community/parse-server/pull/10258 [WEB]
- https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5 [WEB]
- https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1 [WEB]
- https://github.com/parse-community/parse-server [PACKAGE]