CVE-2026-30925
HIGH
8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
HIGH
7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0001
Percentile
0,0th
Updated
EPSS Score Trend (Last 7 Days)
1333
Inefficient Regular Expression Complexity
DraftCommon Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Resource Consumption (Cpu)
Applicable Platforms
All platforms may be affected
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha11:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha10:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
Version Range Affected
To
8.6.11
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha12:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha13:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
Version Range Affected
From
9.0.0
(inclusive)
To
9.5.0
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Parse-Server by Parseplatform
CPE Identifier
View Detailed Analysis
cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/parse-community/parse-server/releases/tag/8.6.11
https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14
https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-8…