Parse Server LiveQuery subscription with invalid regular expression crashes server

GHSA-827p-g5x5-h86c · BIT-parse-2026-32770 · CVE-2026-32770

Published Mar 17, 2026 · Modified Mar 20, 2026

Description

Impact

A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.

Patches

The fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.

Workarounds

Disable LiveQuery if it is not needed.

References

WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32770
WEB https://github.com/parse-community/parse-server/pull/10197
WEB https://github.com/parse-community/parse-server/pull/10199
PACKAGE https://github.com/parse-community/parse-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes