Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.
Published: 2026-03-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via regex backtracking on Parse Server LiveQuery
Action: Patch Now
AI Analysis

Impact

Parse Server is vulnerable to a Regular Expression Denial of Service that occurs when a client subscribes to LiveQuery with a crafted $regex pattern. The malicious input causes catastrophic backtracking in the JavaScript engine on the Node.js event loop, freezing the server and making it unresponsive to all clients. This vulnerability is a classic regular expression denial of service (CWE‑1333).

Affected Systems

All deployments of Parse Server that enable LiveQuery and run a version prior to 8.6.11 or 9.5.0‑alpha.14 are affected. This includes every 8.6.x release up to and including 8.6.10, and every 9.5.0‑alpha.1 through alpha.13 release. Examples of included builds are those listed in the CPE data, such as 9.5.0‑alpha.1 to 9.5.0‑alpha.13.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity for availability impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely but possible. The vulnerability is not listed in CISA’s KEV catalog. An attacker only needs the public application ID and JavaScript key to craft a subscription request, so the attack vector is remote and does not require privileged access. Successful exploitation blocks the entire Node.js event loop, effectively causing a denial of service for all connected clients.

Generated by OpenCVE AI on April 17, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.11 or 9.5.0‑alpha.14 or later, which includes the fixed regex evaluator.
  • If an upgrade is not immediately feasible, disable LiveQuery or restrict its usage to trusted clients to prevent the ReDoS vulnerability from being exploitable.
  • Implement network‑level controls such as a reverse proxy or WAF that can detect and deny high‑complexity regex patterns, and monitor server CPU usage for abnormal spikes indicative of denial of service attempts.

Generated by OpenCVE AI on April 17, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mf3j-86qx-cq5j Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
History

Wed, 11 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Mon, 09 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.
Title Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:11:27.984Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30925

cve-icon Vulnrichment

Updated: 2026-03-10T14:09:04.763Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:40:16.313

Modified: 2026-03-11T19:53:57.000

Link: CVE-2026-30925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses