Parse Server is an open-source backend platform that supports LiveQuery subscriptions, enabling real-time data updates to clients. In affected versions prior to 9.6.0-alpha.19 and 8.6.43, the server does not properly validate regular expression patterns supplied during LiveQuery subscriptions. When a remote attacker submits an invalid regex pattern, the regex engine throws an uncaught exception during subscription matching. This exception is not handled, causing the entire Node.js server process to terminate unexpectedly. Consequently, all connected clients lose service, resulting in a denial of service (DoS) condition. The vulnerability is categorized under CWE-248 (Uncaught Exception). The patch introduced in versions 9.6.0-alpha.19 and 8.6.43 adds validation to reject invalid regex patterns at the time of subscription and implements a defense-in-depth try-catch mechanism to prevent any regex matching errors from crashing the server. The vulnerability requires no authentication or user interaction and can be triggered remotely over the network. The CVSS v3.1 base score is 5.9, reflecting medium severity due to the impact on availability and the complexity of exploitation being moderate (high attack complexity). No known exploits have been reported in the wild to date.

This vulnerability primarily impacts the availability of parse-server instances running vulnerable versions with LiveQuery enabled. An attacker can remotely crash the server by sending a malformed regex pattern, causing a denial of service for all connected clients. Organizations relying on parse-server for real-time backend services may experience service outages, disrupting applications dependent on live data updates. This can lead to degraded user experience, potential loss of revenue, and operational disruptions. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modifications are not a direct concern. However, repeated or sustained exploitation could lead to reputational damage and increased operational costs due to downtime and recovery efforts. The impact is more pronounced in environments where parse-server is a critical component of the application infrastructure and where LiveQuery functionality is actively used.

To mitigate this vulnerability, organizations should upgrade parse-server to version 9.6.0-alpha.19 or later, or 8.6.43 or later, where the issue is fixed. If upgrading immediately is not feasible, disabling the LiveQuery feature entirely is a practical workaround to prevent exploitation. Additionally, organizations should implement input validation and sanitization controls on client inputs that interact with LiveQuery subscriptions to block malformed regex patterns before they reach the server. Monitoring server logs for unexpected crashes or regex-related errors can help detect attempted exploitation. Employing runtime protections such as Node.js process supervisors (e.g., PM2) can automatically restart the server if it crashes, reducing downtime. Finally, applying network-level protections to restrict access to the parse-server LiveQuery endpoint to trusted clients can reduce exposure to remote attacks.