Parse Server is an open-source backend framework that supports LiveQuery, enabling real-time data subscriptions. Versions prior to 9.6.0-alpha.19 and 8.6.43 contain a vulnerability (CVE-2026-32770) where the server fails to properly handle invalid regular expression patterns submitted during LiveQuery subscriptions. When a client subscribes using a malformed regex pattern, the regex engine throws an uncaught exception, causing the entire server process to terminate unexpectedly. This results in a denial of service (DoS) condition affecting all clients connected to that server instance. The root cause is inadequate validation of regex patterns at subscription time and lack of exception handling around regex matching logic. The fix introduced in the patched versions includes validating regex patterns before storing subscriptions and wrapping matching logic in try-catch blocks to prevent server crashes. The vulnerability does not require authentication or user interaction, making it remotely exploitable by any attacker able to send subscription requests. While no known exploits are currently reported in the wild, the vulnerability poses a significant availability risk for services relying on parse-server LiveQuery functionality. The CVSS v3.1 base score is 5.9, indicating medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability.

This vulnerability can cause complete denial of service of parse-server instances running vulnerable versions with LiveQuery enabled. Organizations using parse-server for real-time backend services risk service outages, disrupting client applications dependent on live data updates. The impact is primarily on availability, with no direct confidentiality or integrity compromise. However, downtime can affect user experience, business operations, and potentially lead to cascading failures in dependent systems. Since parse-server is used globally in various industries for mobile and web backends, the scope of impact can be broad. Attackers do not need authentication or user interaction, increasing the risk of automated or widespread exploitation attempts. Although no active exploits are known, the ease of triggering the crash with crafted regex patterns makes this a credible threat to service continuity.

The primary mitigation is to upgrade parse-server to version 9.6.0-alpha.19 or later, or 8.6.43 or later, where the vulnerability is patched. These versions validate regex patterns at subscription time and implement exception handling to prevent server crashes. If upgrading is not immediately feasible, disabling the LiveQuery feature entirely will eliminate the attack surface related to this vulnerability. Additionally, organizations should implement network-level protections such as rate limiting and input validation proxies to detect and block suspicious subscription requests containing malformed regex patterns. Monitoring server logs for repeated subscription failures or crashes can help identify attempted exploitation. Incorporating robust error handling and input sanitization in custom extensions or middleware interacting with LiveQuery can further reduce risk. Regularly reviewing and applying security updates for parse-server and its dependencies is essential to maintain protection.