Parse Server, Denial of Service via ReDoS, CVE-2026-30925 (High)

Listen to this Post

A remote attacker can crash a Parse Server instance by subscribing to a LiveQuery with an invalid regular expression pattern. The vulnerability exists because the server evaluates client-provided regex patterns directly on the single-threaded Node.js event loop during subscription matching without adequate execution limits or input validation. When the regex engine encounters a malformed or inefficient pattern, it enters a state of catastrophic backtracking, which consumes 100% CPU and blocks the event loop indefinitely. This causes the entire server process to terminate, resulting in a complete denial of service for all connected clients. The attack requires only the public application ID and JavaScript key, making it trivially easy to execute against any exposed LiveQuery server. The flaw is rooted in CWE-1333 (Inefficient Regular Expression Complexity). Patches introduce validation at subscription time to reject invalid patterns before storage and implement a defense-in-depth try-catch to ensure no subscription matching error crashes the process .
Platform: Parse Server
Version: >=9.0.0 <9.6.0-alpha.19, <8.6.43
Vulnerability : Regular Expression DoS
Severity: High (CVSS 8.2)
date: March 17, 2026

Prediction: Patches already available

What Undercode Say:

Analytics:

The vulnerability affects all Parse Server deployments with LiveQuery enabled, which is a core feature for real-time applications. The attack vector is network-based via WebSocket subscriptions and requires no authentication beyond publicly discoverable keys. Given the low attack complexity and high availability impact, this is expected to be weaponized quickly once analysis is complete.

Exploit:

A malicious client can crash the server by subscribing with the following payload:

// Attacker subscribes to LiveQuery with catastrophic regex
const query = new Parse.Query('GameScore');
query.matches('playerName', '^(a+)+$'); // Vulnerable pattern
const subscription = await query.subscribe();
// Sending a long string of 'a's triggers backtracking
// The server attempts to evaluate: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa!'

The regex `^(a+)+$` causes exponential backtracking when matching a string of ‘a’s followed by a non-matching character. This blocks the event loop and crashes the server .

Protection from this CVE:

  1. Immediately upgrade to patched versions: `8.6.43` or `9.6.0-alpha.19`
    2. If upgrade is impossible, disable LiveQuery feature completely
  2. Implement a Cloud Code `beforeSubscribe` hook to reject subscriptions containing `$regex` operators
  3. Set `liveQuery.regexTimeout` to a non-zero value (milliseconds) to limit regex execution time

Impact:

Successful exploitation results in complete denial of service. The server process terminates, disconnecting all real-time clients and rendering the backend unavailable for both LiveQuery and regular operations until manually restarted. There is no data breach or integrity loss, but availability is entirely compromised.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top