Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
- Severity:
- High
Description
A malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.11 >= 9.0.0-alpha.1, < 9.5.0-alpha.14** Patched version(s): **8.6.11 9.5.0-alpha.14**
References
Related Issues
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Parse Server: Denial of Service via unindexed database query for unconfigured auth providers - CVE-2026-33538
- Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 10, 2026