CVE-2026-32770
Published: 18 March 2026
Summary
CVE-2026-32770 is a medium-severity Uncaught Exception (CWE-248) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-11 Error Handling directly addresses uncaught exceptions in the regex engine during LiveQuery subscription matching that crash the Parse Server process.
SI-10 Information Input Validation requires checking and rejecting invalid regular expression patterns in LiveQuery subscriptions before they reach the regex engine.
SC-5 Denial-of-service Protection limits the effects of remote attacks using malicious regex patterns to crash the server and disrupt all connected clients.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of unhandled regex exception in Parse Server LiveQuery to crash the process, directly mapping to application/system exploitation for endpoint DoS.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular…
more
expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. The fix in 9.6.0-alpha.19 and 8.6.43 validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. As a workaround, disable LiveQuery if it is not needed.
Deeper analysisAI
CVE-2026-32770 is a denial-of-service vulnerability in Parse Server, an open source backend deployable on any Node.js-compatible infrastructure. Versions prior to 9.6.0-alpha.19 and 8.6.43 are affected, where a remote attacker can crash the server process by subscribing to a LiveQuery with an invalid regular expression pattern. The crash occurs when the invalid pattern reaches the regex engine during subscription matching, terminating the server and disrupting service for all connected clients. This issue is classified under CWE-248 (Uncaught Exception).
A remote, unauthenticated attacker can exploit this vulnerability over the network by sending a LiveQuery subscription request containing a malicious regex pattern, though it requires high attack complexity as indicated by the CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation triggers an unhandled exception in the regex engine, immediately crashing the server process and causing a denial of service that impacts all clients relying on the Parse Server instance.
The Parse Server security advisory and related pull requests detail mitigations in versions 9.6.0-alpha.19 and 8.6.43, which validate regular expression patterns at subscription time and reject invalid ones before storage. A defense-in-depth try-catch block was also added to prevent subscription matching errors from crashing the server. As a workaround, administrators can disable LiveQuery if it is not required. Relevant resources include the GitHub advisory at GHSA-827p-g5x5-h86c and pull requests #10197 and #10199.
Details
- CWE(s)