parse-server: Malformed `$regex` query leaks database error details in API response
- Severity:
- Medium
Description
A malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.7 >= 9.0.0, < 9.5.0-alpha.6** Patched version(s): **8.6.7 9.5.0-alpha.6**
References
Related Issues
- Parse Server: Denial of Service via unindexed database query for unconfigured auth providers - CVE-2026-33538
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 06, 2026