Parse Server, Regex DoS, CVE-2026-30925 (Critical)

Listen to this Post

A malicious client can exploit a Regular Expression Denial of Service (ReDoS) vulnerability in Parse Server by subscribing to a LiveQuery with a crafted `$regex` pattern. This pattern causes catastrophic backtracking during the JavaScript evaluation of the regex on the Node.js event loop. Because the evaluation is synchronous, it blocks the event loop entirely, making the entire Parse Server instance unresponsive to all clients. The attack is possible on any deployment with LiveQuery enabled and requires only publicly available application credentials. Normal REST and GraphQL queries are not vulnerable as their regex is evaluated by the database engine. The vulnerability is fixed by isolating regex evaluation in a virtual machine context with a configurable timeout (liveQuery.regexTimeout), defaulting to 100ms. Regex evaluations exceeding this timeout are treated as non-matching, preventing event loop blockage. This fix introduces a minor performance overhead of about 50 microseconds per evaluation, which can accumulate with a massive number of concurrent subscriptions.

dailycve form:

Platform: Parse Server
Version: <8.6.11, <9.5.0-alpha.14
Vulnerability: Regex DoS
Severity: Critical
date: 2026-03-09

Prediction: Already patched

What Undercode Say:

Analytics:

Check current LiveQuery subscriptions for regex patterns.

// Placeholder: Parse Server Log Analysis
// Monitor for slow regex evaluations after patching.
grep "liveQuery.regexTimeout" /var/log/parse-server.log

Configure the new regex timeout protection.

// Parse Server Configuration
{
liveQuery: {
regexTimeout: 100 // Timeout in ms, default 100
}
}

Benchmark regex evaluation overhead.

Use `time` to simulate an object save event with 10k regex subs
Placeholder for performance testing command
time node benchmark.js

How Exploit:

The attacker crafts a malicious LiveQuery subscription.

// Malicious Subscription Payload
{
className: "MyClass",
where: {
// Vulnerable regex causing catastrophic backtracking
fieldName: { $regex: "^(a+)+$" } // Example pattern
}
}

Protection from this CVE:

Upgrade to patched version or implement workaround using Cloud Code.

// Cloud Code Workaround: beforeSubscribe hook
Parse.Cloud.beforeSubscribe('MyClass', (request) => {
const where = request.query._where || {};
for (const key in where) {
const value = where[bash];
if (value && typeof value === 'object' && value.$regex) {
// Also blocks startsWith, endsWith, contains
throw new Parse.Error(
Parse.Error.OPERATION_FORBIDDEN,
'$regex not allowed in LiveQuery subscriptions'
);
}
}
});

Impact:

A successful exploit causes complete denial of service by freezing the Node.js event loop, affecting all clients relying on LiveQuery functionality. The attack requires minimal effort and public credentials. While patched versions introduce a timeout to mitigate this, high-volume regex subscriptions may still incur performance overhead.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top