PT-2026-25984 · Unknown · Parse Server
Fancymalware
·
Published
2026-03-17
·
Updated
2026-03-20
·
CVE-2026-32770
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 9.6.0-alpha.19
Parse Server versions prior to 8.6.43
Parse Server versions prior to 9.6.0
Parse Server versions prior to 8.6.43
Description
A remote attacker can cause a denial of service by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, impacting all connected clients. The issue occurs because the server does not validate regular expression patterns at subscription time.
Recommendations
Update to Parse Server version 9.6.0-alpha.19 or later.
Update to Parse Server version 8.6.43 or later.
Update to Parse Server version 9.6.0 or later.
Update to Parse Server version 8.6.43 or later.
Disable LiveQuery if it is not needed.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server