Parse Server is an open-source backend platform running on Node.js, widely used for mobile and web applications. This vulnerability, identified as CVE-2026-30925 and classified under CWE-1333 (Inefficient Regular Expression Complexity), affects the LiveQuery feature of parse-server versions prior to 9.5.0-alpha.14 and 8.6.11. LiveQuery allows clients to subscribe to real-time updates using queries that may include regular expressions. The vulnerability occurs because the server evaluates these regex patterns in JavaScript on the Node.js event loop without sufficient safeguards against complex regex patterns that cause catastrophic backtracking. An attacker can craft a malicious $regex pattern that consumes excessive CPU cycles, blocking the single-threaded Node.js event loop. This blockage leads to a denial-of-service condition, making the entire Parse Server instance unresponsive and disrupting service for all clients. Exploitation requires only the application ID and JavaScript key, which are often exposed in client-side code, lowering the barrier for attackers. The vulnerability does not affect REST or GraphQL queries because their regex evaluations are offloaded to the database engine, which is not susceptible to this issue. The vulnerability was publicly disclosed on March 9, 2026, with a CVSS 4.0 score of 8.2 (high severity). No known exploits have been reported in the wild at the time of disclosure. The issue is resolved in parse-server versions 9.5.0-alpha.14 and 8.6.11 by improving regex handling to prevent catastrophic backtracking.

The primary impact of this vulnerability is a denial-of-service (DoS) condition caused by blocking the Node.js event loop, which is single-threaded and critical for handling all incoming requests. When exploited, the entire Parse Server becomes unresponsive, affecting all connected clients and potentially causing significant service outages. This can disrupt real-time applications relying on LiveQuery for updates, such as chat apps, collaborative tools, or live dashboards. Since the attacker only needs publicly available credentials, the attack surface is broad and does not require privileged access or authentication. Organizations using parse-server with LiveQuery enabled face risks of service degradation or downtime, which can lead to loss of user trust, revenue impact, and operational disruption. Although no data breach or integrity compromise is indicated, the availability impact is severe. The vulnerability's ease of exploitation and broad impact on all clients connected to the server make it a critical concern for deployments in production environments.

The most effective mitigation is to upgrade parse-server to version 9.5.0-alpha.14 or later, or 8.6.11 or later, where the vulnerability is fixed. Until upgrades can be applied, organizations should consider disabling LiveQuery if real-time updates are not critical, thereby eliminating the attack vector. If LiveQuery must remain enabled, implement strict input validation and sanitization on client-supplied regex patterns to detect and block overly complex or potentially malicious expressions. Rate limiting subscription requests per client can reduce the risk of abuse. Monitoring server performance and event loop latency metrics can help detect ongoing attacks early. Additionally, consider deploying parse-server behind a Web Application Firewall (WAF) or API gateway capable of detecting and blocking suspicious regex patterns or abnormal request rates. Finally, review client-side code to minimize exposure of application ID and JavaScript keys or implement additional authentication layers to restrict subscription access.