DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30835: CVE-2026-30835: Database Metadata Leak via Malformed Regex in Parse Server

#security #cve #cybersecurity

CVE-2026-30835: Database Metadata Leak via Malformed Regex in Parse Server

Vulnerability ID: CVE-2026-30835
CVSS Score: 6.9
Published: 2026-03-06

Parse Server, a popular open-source backend framework, contains an information disclosure vulnerability in its query processing layer. The flaw manifests when the server processes malformed regular expression queries targeting the underlying database. Instead of returning a generic error message, the application propagates the raw database error object—containing internal cluster timestamps, topology information, and driver-specific error codes—directly to the API consumer. This exposure allows unauthenticated attackers to fingerprint the backend infrastructure and gather intelligence for subsequent attacks.

TL;DR

Parse Server versions prior to 8.6.7 leak raw database error objects when handling invalid $regex queries. This exposes internal metadata like cluster timestamps and topology details to attackers.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-209
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network
  • Impact: Information Disclosure
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Parse Server < 8.6.7
  • Parse Server 9.0.0 - 9.5.0-alpha.5
  • parse-server: < 8.6.7 (Fixed in: 8.6.7)
  • parse-server: >= 9.0.0 < 9.5.0-alpha.6 (Fixed in: 9.5.0-alpha.6)

Code Analysis

Commit: 017290f

Fix: sanitize database error messages in DatabaseController (v9 branch)

catch(error => { if (error instanceof Parse.Error) { throw error; } ... throw createSanitizedError(...) })
Enter fullscreen mode Exit fullscreen mode

Commit: e6745f8

Fix: sanitize database error messages in DatabaseController (v8 branch)

catch(error => { if (error instanceof Parse.Error) { throw error; } ... throw createSanitizedError(...) })
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Regression Test: Project regression test case demonstrating the malformed regex query and expected error structure.

Mitigation Strategies

  • Upgrade Parse Server to patched versions.
  • Enable sanitized error responses in configuration.
  • Implement WAF rules to block malformed regex in query parameters.

Remediation Steps:

  1. Identify the current running version of parse-server via npm list parse-server.
  2. If version is < 8.6.7 or between 9.0.0 and 9.5.0-alpha.6, schedule maintenance.
  3. Update the package: npm install parse-server@8.6.7 (or appropriate version).
  4. Restart the Node.js application service.
  5. Verify the fix by sending a malformed regex request (e.g., {"field":{"$regex":"[abc"}}) and confirming the response is generic.

References

Read the full report for CVE-2026-30835 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)