CVE-2026-30925
Published: 10 March 2026
Summary
CVE-2026-30925 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote DoS via crafted regex triggering catastrophic backtracking and event-loop blockage in Parse Server LiveQuery (CWE-1333), directly matching application/system exploitation for endpoint availability impact.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking,…
more
blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.
Deeper analysisAI
CVE-2026-30925 is a denial-of-service vulnerability in Parse Server, an open-source backend deployable on any Node.js infrastructure. Versions prior to 9.5.0-alpha.14 and 8.6.11 are affected when LiveQuery is enabled. The issue stems from a crafted $regex pattern in a LiveQuery subscription that triggers catastrophic backtracking in JavaScript regular expression evaluation on the Node.js event loop, as classified under CWE-1333 (Inefficient Regular Expression Complexity). This contrasts with REST and GraphQL queries, which remain unaffected since their regex handling occurs in the database engine.
Any remote attacker can exploit this vulnerability by subscribing to a LiveQuery using publicly exposed credentials—the application ID and JavaScript key, commonly found in client-side applications. Successful exploitation blocks the Node.js event loop, rendering the entire Parse Server instance unresponsive and impacting all connected clients. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its network accessibility, low complexity, and high availability impact without requiring privileges.
Parse Server advisories and release notes recommend upgrading to version 9.5.0-alpha.14 or 8.6.11, where the vulnerability is fixed. Details are available in the GitHub security advisory (GHSA-mf3j-86qx-cq5j) and release tags for 8.6.11 and 9.5.0-alpha.14.
Details
- CWE(s)