CVE-2026-30925

EPSS 0.02%
Veröffentlicht 09.03.2026 23:01:32
Zuletzt bearbeitet 11.03.2026 19:53:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.11

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.5.0

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha11 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha12 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha13 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.5.0 Updatealpha9 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.054

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j

Patch

Vendor Advisory

Mitigation

https://github.com/parse-community/parse-server/releases/tag/8.6.11

Product

Release Notes

https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-30925

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-30925

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-30925

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-30925