CVE-2026-30925 Overview
Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, contains a Regular Expression Denial of Service (ReDoS) vulnerability in its LiveQuery feature. Prior to versions 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop and rendering the entire Parse Server unresponsive.
Critical Impact
Any Parse Server deployment with LiveQuery enabled is vulnerable. An attacker only needs the application ID and JavaScript key—both of which are publicly exposed in client-side applications—to exploit this vulnerability and cause a complete denial of service affecting all connected clients.
Affected Products
- Parse Server versions prior to 8.6.11
- Parse Server versions 9.5.0-alpha.1 through 9.5.0-alpha.13
- Any Parse Server deployment with LiveQuery enabled running on Node.js
Discovery Timeline
- 2026-03-10 - CVE-2026-30925 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30925
Vulnerability Analysis
This vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), commonly known as Regular Expression Denial of Service (ReDoS). The flaw exists in how Parse Server's LiveQuery subscription matching evaluates regular expressions. Unlike normal REST and GraphQL queries where regex patterns are evaluated by the database engine, LiveQuery subscription matching evaluates regex directly in JavaScript on the Node.js event loop.
Node.js operates on a single-threaded event loop model, meaning any blocking operation prevents all other requests from being processed. When a malicious client submits a carefully crafted regex pattern through a LiveQuery subscription, the pattern triggers catastrophic backtracking during evaluation. This exponential time complexity causes the regex engine to consume excessive CPU cycles, effectively freezing the entire server.
The attack is particularly concerning because it requires minimal attacker prerequisites—only the application ID and JavaScript key, which are inherently exposed in client-side applications that use Parse Server as their backend.
Root Cause
The root cause is insufficient validation and sanitization of user-supplied regular expression patterns in the LiveQuery subscription handling code. When a client creates a LiveQuery subscription with a $regex operator, the pattern is evaluated directly by the JavaScript regex engine without complexity analysis or timeout constraints. This allows specially crafted patterns with nested quantifiers or overlapping alternations to trigger exponential backtracking behavior.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication beyond the publicly available application ID and JavaScript key. An attacker can craft a malicious LiveQuery subscription request containing a regex pattern designed to cause catastrophic backtracking. When the server processes this subscription and attempts to match data against the malicious pattern, the regex evaluation consumes all available CPU resources, blocking the Node.js event loop and denying service to all legitimate clients.
The attack can be executed remotely by any client with access to the Parse Server's LiveQuery WebSocket endpoint. Since the application ID and JavaScript key are typically embedded in client-side code for mobile and web applications, obtaining these credentials is trivial for an attacker.
Detection Methods for CVE-2026-30925
Indicators of Compromise
- Sudden and sustained CPU utilization spikes on Parse Server instances
- Unresponsive Parse Server with clients experiencing connection timeouts
- LiveQuery WebSocket connections from suspicious or unknown sources
- Unusual $regex patterns in LiveQuery subscription logs
Detection Strategies
- Monitor Node.js event loop lag metrics for abnormal delays exceeding baseline thresholds
- Implement logging and alerting for LiveQuery subscriptions containing $regex operators
- Review WebSocket connection logs for patterns indicative of automated attack attempts
- Deploy application performance monitoring (APM) to detect sudden degradation in request processing times
Monitoring Recommendations
- Enable verbose logging for LiveQuery subscription requests, including the query parameters
- Configure alerts for CPU utilization exceeding normal operational thresholds on Parse Server hosts
- Monitor WebSocket connection counts and identify anomalous connection patterns
- Implement health checks that detect event loop blocking conditions
How to Mitigate CVE-2026-30925
Immediate Actions Required
- Upgrade Parse Server to version 8.6.11 or 9.5.0-alpha.14 or later immediately
- Audit existing LiveQuery subscriptions for potentially malicious regex patterns
- Consider temporarily disabling LiveQuery functionality if patching cannot be performed immediately
- Review and restrict network access to LiveQuery endpoints where possible
Patch Information
Parse Platform has released security patches addressing this vulnerability. Organizations should upgrade to one of the following fixed versions:
- Stable branch: Upgrade to Parse Server 8.6.11
- Alpha branch: Upgrade to Parse Server 9.5.0-alpha.14
For complete details on the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-mf3j-86qx-cq5j.
Workarounds
- Disable LiveQuery functionality entirely if not required for application functionality
- Implement a Web Application Firewall (WAF) rule to inspect and block requests containing complex regex patterns
- Deploy rate limiting on LiveQuery subscription endpoints to slow potential attack attempts
- Consider placing Parse Server behind an API gateway that can validate and sanitize incoming queries
# Example: Update Parse Server using npm
npm update parse-server@8.6.11
# Verify installed version
npm list parse-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
