Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration. This issue has been patched in versions 8.6.7 and 9.5.0-alpha.6.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability occurs when a malformed $regex query, such as an incomplete pattern, is processed by Parse Server. The database returns a detailed error object that is not sanitized before being included in the API response. As a result, sensitive database internals—including error messages, codes, cluster timestamps, and topology details—are exposed to the attacker. The flaw is categorized as a CWE‑209 weakness in Error Handling and Logging.

Affected Systems

Parse Server products from the parse-community, specifically all releases prior to version 8.6.7 and the 9.5.0‑alpha.6 branch, are affected. Deployments running these older releases on any Node.js‑capable infrastructure are vulnerable. No other vendors or product variants are currently listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be any client that can submit query requests to the Parse Server endpoint; exploitation depends on the deployment’s permission configuration, so the risk is higher in environments with permissive client access.

Generated by OpenCVE AI on April 16, 2026 at 11:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.7 or newer, or to 9.5.0‑alpha.6 or newer if using that release line.
  • Validate and sanitize all query parameters on the client side to ensure that malformed regex patterns are not sent to the server.
  • Restrict client permissions so that only trusted users or services can execute queries that include regex operators.

Generated by OpenCVE AI on April 16, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9cp7-3q5w-j92g parse-server: Malformed `$regex` query leaks database error details in API response
History

Wed, 11 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 06 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration. This issue has been patched in versions 8.6.7 and 9.5.0-alpha.6.
Title Parse Server: Malformed `$regex` query leaks database error details in API response
Weaknesses CWE-209
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:20.728Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30835

cve-icon Vulnrichment

Updated: 2026-03-09T20:29:44.522Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:17.560

Modified: 2026-03-11T13:08:11.083

Link: CVE-2026-30835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses