DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30925: CVE-2026-30925: Regular Expression Denial of Service (ReDoS) in Parse Server LiveQuery

#security #cve #cybersecurity

CVE-2026-30925: Regular Expression Denial of Service (ReDoS) in Parse Server LiveQuery

Vulnerability ID: CVE-2026-30925
CVSS Score: 8.2
Published: 2026-03-10

Parse Server versions prior to 8.6.11 and 9.5.0-alpha.14 contain a critical vulnerability in the LiveQuery component. The application evaluates client-provided regular expressions directly on the single-threaded Node.js event loop without adequate execution limits. Unauthenticated attackers can submit crafted subscriptions that cause exponential backtracking, exhausting CPU resources and resulting in a complete denial of service.

TL;DR

Unauthenticated ReDoS in Parse Server LiveQuery allows attackers to halt the Node.js event loop via crafted $regex subscriptions, causing a complete denial of service.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: CWE-1333: Inefficient Regular Expression Complexity
  • Attack Vector: Network (WebSocket Subscription)
  • Authentication Required: None (Requires public application keys)
  • CVSS v4.0 Score: 8.2 (High)
  • Impact: Complete Denial of Service
  • Exploit Status: Proof of Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Parse Server LiveQuery Module
  • Parse Server: < 8.6.11 (Fixed in: 8.6.11)
  • Parse Server: >= 9.0.0, < 9.5.0-alpha.14 (Fixed in: 9.5.0-alpha.14)

Mitigation Strategies

  • Upgrade Parse Server to a patched version (8.6.11 or 9.5.0-alpha.14).
  • Implement a Cloud Code beforeSubscribe hook to reject $regex constraints.
  • Ensure the liveQuery.regexTimeout configuration is not set to 0.

Remediation Steps:

  1. Review the current Parse Server version deployed in the environment.
  2. Update the package.json dependencies to specify parse-server ^8.6.11 or ^9.5.0-alpha.14.
  3. Execute npm install or yarn install to fetch the updated packages.
  4. Restart the Parse Server process.
  5. Verify that the Parse Server initialization code does not set liveQuery.regexTimeout to 0.

References

Read the full report for CVE-2026-30925 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)