CVE-2026-32770
MEDIUM
GHSA-827p-g5x5-h86c
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
### Impact A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. ### Patches The fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. ### Workarounds Disable LiveQuery if it is not needed.
Analysis
Parse Server contains a denial-of-service vulnerability in its LiveQuery feature where remote attackers can crash the server by subscribing with an invalid regular expression pattern. The vulnerability affects npm package parse-server across versions and allows unauthenticated network-based attacks with high attack complexity, resulting in complete service disruption for all connected clients. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today