CVE-2026-32770

Received Received - Intake

Denial of Service via Invalid Regex in Parse Server LiveQuery

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. The fix in 9.6.0-alpha.19 and 8.6.43 validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. As a workaround, disable LiveQuery if it is not needed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-18

Last Modified

2026-03-19

Generated

2026-06-16

AI Q&A

2026-03-19

EPSS Evaluated

2026-06-15

NVD

CVE-2026-32770

Affected Vendors & Products

Vendor	Product	Version / Range
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	From 9.0.0 (inc) to 9.6.0 (exc)
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	9.6.0
parseplatform	parse-server	to 8.6.43 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-248	An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

Executive Summary

This vulnerability affects Parse Server, an open source backend that runs on Node.js. Before versions 9.6.0-alpha.19 and 8.6.43, a remote attacker could cause the server to crash by subscribing to a LiveQuery using an invalid regular expression pattern. When the server tries to process this invalid pattern, it causes the regex engine to fail, terminating the server process.

The crash results in a denial of service for all clients connected to the server. The issue is fixed in the mentioned versions by validating regex patterns at subscription time and adding error handling to prevent crashes.

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the Parse Server by crashing the server process when an invalid regular expression pattern is used in a LiveQuery subscription. This means that all connected clients will lose service until the server is restarted or the issue is resolved.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 9.6.0-alpha.19 or 8.6.43 or later, where the issue is fixed by validating regular expression patterns at subscription time and adding a try-catch to prevent crashes.

As a workaround, if LiveQuery is not needed, you can disable LiveQuery to prevent the vulnerability from being exploited.

Hi! I’m here to help you understand CVE-2026-32770. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-32770

Denial of Service via Invalid Regex in Parse Server LiveQuery

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart