CVE-2026-30925

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.0-alpha.14 Parse Server versions prior to 8.6.11

Description A crafted $regex pattern within a LiveQuery subscription can cause catastrophic backtracking, blocking the Node.js event loop and rendering the entire Parse Server unresponsive. An attacker requires only the application ID and JavaScript key, typically public in client-side applications, to exploit this issue. This impacts Parse Server deployments with LiveQuery enabled, specifically affecting LiveQuery subscription matching which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected as their regex evaluation occurs within the database engine.

Recommendations Update to Parse Server version 9.5.0-alpha.14 or later. Update to Parse Server version 8.6.11 or later.