PT-2026-25984 · Unknown · Parse Server
Fancymalware
·
Publicado
2026-03-17
·
Atualizado
2026-03-20
·
CVE-2026-32770
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 9.6.0-alpha.19
Parse Server versions prior to 8.6.43
Parse Server versions prior to 9.6.0
Parse Server versions prior to 8.6.43
Description
A remote attacker can cause a denial of service by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, impacting all connected clients. The issue occurs because the server does not validate regular expression patterns at subscription time.
Recommendations
Update to Parse Server version 9.6.0-alpha.19 or later.
Update to Parse Server version 8.6.43 or later.
Update to Parse Server version 9.6.0 or later.
Update to Parse Server version 8.6.43 or later.
Disable LiveQuery if it is not needed.
Exploit
Correção
DoS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Parse Server