CVE-2026-32770: Parse Server LiveQuery subscription with invalid regular expression crashes server

March 17, 2026

A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.

References

github.com/advisories/GHSA-827p-g5x5-h86c
github.com/parse-community/parse-server
github.com/parse-community/parse-server/pull/10197
github.com/parse-community/parse-server/pull/10199
github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c
nvd.nist.gov/vuln/detail/CVE-2026-32770

Code Behaviors & Features

Detect and mitigate CVE-2026-32770 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →