Parse Server LiveQuery subscription with invalid regular expression crashes server
- Severity:
- Medium
Description
A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.43 >= 9.0.0, < 9.6.0-alpha.19** Patched version(s): **8.6.43 9.6.0-alpha.19**
References
Related Issues
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause - CVE-2026-32098
- Parse Server LiveQuery subscription query depth bypass - CVE-2026-33508
- Parse Server's Cloud function dispatch crashes server via prototype chain traversal - CVE-2026-32886
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 19, 2026