Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | < 8.6.11 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/releases/tag/8.6.11ProductRelease Notes
- https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14ProductRelease Notes
- https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86MitigationPatchVendor Advisory
FAQ
What is CVE-2026-30925?
CVE-2026-30925 is a vulnerability with a CVSS score of 7.5 (HIGH). Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a craft...
How severe is CVE-2026-30925?
CVE-2026-30925 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30925?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.