CVE-2026-30925
Regex Catastrophic Backtracking in Parse Server LiveQuery Causes DoS
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | From 9.0.0 (inc) to 9.5.0 (exc) |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | to 8.6.11 (exc) |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
| parseplatform | parse-server | 9.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30925 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Parse Server's LiveQuery feature. A malicious client can send a specially crafted $regex pattern in a LiveQuery subscription that causes catastrophic backtracking during regex evaluation on the Node.js event loop. This blocks the event loop, making the entire Parse Server unresponsive and affecting all connected clients."}, {'type': 'paragraph', 'content': 'The attacker only needs the public application ID and JavaScript key, which are exposed in client-side applications, to exploit this vulnerability. It only affects LiveQuery subscription regex matching, which is evaluated in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex evaluation is handled by the database engine.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in Parse Server versions 9.5.0-alpha.14 and 8.6.11 by isolating regex evaluation in a VM context with a timeout to prevent event loop blocking.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by making the entire Parse Server unresponsive. When exploited, the Node.js event loop is blocked due to catastrophic backtracking in regex evaluation, which affects all clients connected to the server.
The impact is primarily on availability, as the server becomes unresponsive and cannot process requests. There is no impact on confidentiality or integrity.
Because the attacker only needs publicly available credentials (application ID and JavaScript key), the attack complexity is low and no privileges or user interaction are required.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is triggered by a malicious client subscribing to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking and blocks the Node.js event loop, making the Parse Server unresponsive.'}, {'type': 'paragraph', 'content': "Detection can focus on monitoring the Parse Server's responsiveness and identifying unusual or excessive CPU usage on the Node.js event loop, especially during LiveQuery subscription requests involving $regex patterns."}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited via network requests containing crafted $regex patterns in LiveQuery subscriptions, inspecting network traffic for suspicious LiveQuery subscription requests with $regex operators can help detect attempts.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Use system monitoring tools (e.g., top, htop) to observe high CPU usage or event loop blocking on the Parse Server host.'}, {'type': 'list_item', 'content': 'Capture and analyze network traffic to identify LiveQuery subscription requests containing $regex parameters.'}, {'type': 'list_item', 'content': 'Enable logging on Parse Server to detect and log LiveQuery subscription requests and inspect for regex usage.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Parse Server to version 9.5.0-alpha.14 or 8.6.11 or later, where the vulnerability is fixed.
The fix involves running regex evaluation in LiveQuery subscriptions inside an isolated VM context with a configurable timeout (default 100 ms) to prevent event loop blocking.
As an immediate workaround, use the beforeSubscribe Cloud Code hook to reject any LiveQuery subscription containing a $regex operator. This also blocks related query methods like startsWith, endsWith, and contains, which internally use $regex.
Adjust the liveQuery.regexTimeout configuration option as needed to control the regex evaluation timeout.