CVE-2026-32770
Received Received - Intake
Denial of Service via Invalid Regex in Parse Server LiveQuery

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. The fix in 9.6.0-alpha.19 and 8.6.43 validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. As a workaround, disable LiveQuery if it is not needed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-05-07
AI Q&A
2026-03-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32770
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server 9.6.0
parseplatform parse-server to 8.6.43 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Parse Server, an open source backend that runs on Node.js. Before versions 9.6.0-alpha.19 and 8.6.43, a remote attacker could cause the server to crash by subscribing to a LiveQuery using an invalid regular expression pattern. When the server tries to process this invalid pattern, it causes the regex engine to fail, terminating the server process.

The crash results in a denial of service for all clients connected to the server. The issue is fixed in the mentioned versions by validating regex patterns at subscription time and adding error handling to prevent crashes.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service (DoS) on the Parse Server by crashing the server process when an invalid regular expression pattern is used in a LiveQuery subscription. This means that all connected clients will lose service until the server is restarted or the issue is resolved.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Parse Server to version 9.6.0-alpha.19 or 8.6.43 or later, where the issue is fixed by validating regular expression patterns at subscription time and adding a try-catch to prevent crashes.

As a workaround, if LiveQuery is not needed, you can disable LiveQuery to prevent the vulnerability from being exploited.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart