Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
- Severity:
- High
Description
A malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.11 >= 9.0.0-alpha.1, < 9.5.0-alpha.14** Patched version(s): **8.6.11 9.5.0-alpha.14**
References
Related Issues
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
- Parse Server: Pre-authentication denial of service via client version header regex backtracking - CVE-2026-47138
- Parse Server: Denial of Service via unindexed database query for unconfigured auth providers - CVE-2026-33538
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 10, 2026