CVE-2026-30925

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.11	Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14	Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j	Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha10::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha11::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha12::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha13::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9::::node.js::*

History

11 Mar 2026, 19:53

Type	Values Removed	Values Added
References	~~() https://github.com/parse-community/parse-server/releases/tag/8.6.11 -~~	() https://github.com/parse-community/parse-server/releases/tag/8.6.11 - Product, Release Notes
References	~~() https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14 -~~	() https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14 - Product, Release Notes
References	~~() https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j -~~	() https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j - Mitigation, Patch, Vendor Advisory
First Time		Parseplatform Parseplatform parse-server
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha11::::node.js::* cpe:2.3:a:parseplatform:parse-server::::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha12::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha13::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha10::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha9::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha8::::node.js::* cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2::::node.js::*

10 Mar 2026, 17:40

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 17:40

Updated : 2026-03-11 19:53

NVD link : CVE-2026-30925

Mitre link : CVE-2026-30925

CVE.ORG link : CVE-2026-30925

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-1333

Inefficient Regular Expression Complexity

7.5 /10