Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
Parse Server's LiveQuery can be crashed by malicious client requests
GHSA-mf3j-86qx-cq5j
CVE-2026-30925
GHSA-mf3j-86qx-cq5j
BIT-parse-2026-30925
Summary
If you're using Parse Server's LiveQuery feature, a malicious client could send a special request that crashes the server, making it unable to respond to any requests. This affects any Parse Server deployment that has LiveQuery enabled. To fix this, update to version 9.5.0-alpha.14 or 8.6.11.
What to do
- Update parse-server to version 9.5.0-alpha.14.
- Update parse-server to version 8.6.11.
- Update parse to version 9.5.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | > 9.0.0-alpha.1 , <= 9.5.0-alpha.14 | 9.5.0-alpha.14 |
| – | parse-server | <= 8.6.11 | 8.6.11 |
| parseplatform | parse-server | <= 8.6.11 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| parseplatform | parse-server | 9.5.0 | – |
| – | parse | > 9.0.0 , <= 9.5.0 | 9.5.0 |
Original title
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Original description
### Impact
A malicious client can subscribe to a LiveQuery with a crafted `$regex` pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps.
This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine.
### Patches
Regex evaluation in LiveQuery subscription matching now runs in an isolated VM context with a configurable timeout via a new Parse Server option `liveQuery.regexTimeout, with defaults 100 ms. A regex that exceeds the timeout is treated as non-matching.
The protection adds approximately 50 microseconds of overhead per regex evaluation. For most applications this is negligible, but it can add up if there is a very large number of LiveQuery subscriptions that use `$regex` on the same class. For example, 10,000 concurrent regex subscriptions would add approximately 500ms of processing time per object save event on that class. Set `liveQuery.regexTimeout: 0` to disable the protection and use native regex evaluation without overhead.
### Workarounds
Use the `beforeSubscribe` Cloud Code hook to reject any LiveQuery subscription that contains a `$regex` operator. Note that this also blocks the LiveQuery `startsWith`, `endsWith`, and `contains` query methods, as they use `$regex` internally.
```js
// Repeat for each class that is used with LiveQuery
Parse.Cloud.beforeSubscribe('MyClass', request => {
const where = request.query._where || {};
for (const value of Object.values(where)) {
if (value?.$regex) {
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, '$regex not allowed in LiveQuery subscriptions');
}
}
});
```
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.11
A malicious client can subscribe to a LiveQuery with a crafted `$regex` pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps.
This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine.
### Patches
Regex evaluation in LiveQuery subscription matching now runs in an isolated VM context with a configurable timeout via a new Parse Server option `liveQuery.regexTimeout, with defaults 100 ms. A regex that exceeds the timeout is treated as non-matching.
The protection adds approximately 50 microseconds of overhead per regex evaluation. For most applications this is negligible, but it can add up if there is a very large number of LiveQuery subscriptions that use `$regex` on the same class. For example, 10,000 concurrent regex subscriptions would add approximately 500ms of processing time per object save event on that class. Set `liveQuery.regexTimeout: 0` to disable the protection and use native regex evaluation without overhead.
### Workarounds
Use the `beforeSubscribe` Cloud Code hook to reject any LiveQuery subscription that contains a `$regex` operator. Note that this also blocks the LiveQuery `startsWith`, `endsWith`, and `contains` query methods, as they use `$regex` internally.
```js
// Repeat for each class that is used with LiveQuery
Parse.Cloud.beforeSubscribe('MyClass', request => {
const where = request.query._where || {};
for (const value of Object.values(where)) {
if (value?.$regex) {
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, '$regex not allowed in LiveQuery subscriptions');
}
}
});
```
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.11
ghsa CVSS4.0
8.2
Vulnerability type
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
- https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86...
- https://github.com/parse-community/parse-server/releases/tag/8.6.11
- https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14
- https://github.com/advisories/GHSA-mf3j-86qx-cq5j
- https://github.com/parse-community/parse-server Product
- https://nvd.nist.gov/vuln/detail/CVE-2026-30925
Published: 10 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026