PT-2026-25984 · Npm · Parse Server
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-32770
CVSS v3.1
5.9
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
Impact
A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.
Patches
The fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.
Workarounds
Disable LiveQuery if it is not needed.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server