Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
Parse Server's LiveQuery component fails to enforce query depth limits on WebSocket subscriptions, allowing attackers to send deeply nested logical operators causing excessive CPU consumption and denial of service. This vulnerability affects versions prior to 8.6.56 and 9.6.0-alpha.45.
يفشل مكون LiveQuery في Parse Server في فرض حدود عمق الاستعلام على طلبات الاشتراك عبر WebSocket، مما يسمح للمهاجمين بإرسال عوامل منطقية متداخلة بعمق يسبب استهلاك CPU مفرط. يؤثر هذا على الإصدارات السابقة للإصدار 8.6.56 و9.6.0-alpha.45.
Parse Server's LiveQuery component fails to enforce query depth limits on WebSocket subscriptions, allowing attackers to send deeply nested logical operators causing excessive CPU consumption and denial of service. This vulnerability affects versions prior to 8.6.56 and 9.6.0-alpha.45.
Immediately upgrade Parse Server to version 8.6.56 or 9.6.0-alpha.45 or later. Implement network-level rate limiting on WebSocket connections. Monitor CPU usage and implement alerting for abnormal subscription patterns. Review and enforce requestComplexity.queryDepth configuration across all Parse Server deployments.
قم بترقية Parse Server فوراً إلى الإصدار 8.6.56 أو 9.6.0-alpha.45 أو أحدث. طبق تحديد معدل على مستوى الشبكة لاتصالات WebSocket. راقب استخدام المعالج وطبق التنبيهات للأنماط غير الطبيعية. راجع وفرض إعدادات requestComplexity.queryDepth عبر جميع نشرات Parse Server.