Parse Server LiveQuery Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Parse Server versions prior to 9.5.0-alpha.14 and 8.6.11. The issue arises in LiveQuery subscriptions, where a malicious client can use a crafted $regex pattern that causes catastrophic backtracking. This manipulation blocks the Node.js event loop, rendering the entire Parse Server unresponsive and affecting all connected clients. The vulnerability is present in any Parse Server deployment with LiveQuery enabled. To exploit this issue, an attacker only needs the application ID and JavaScript key, both of which are publicly accessible in client-side applications.

Impact

Exploitation of this vulnerability leads to a regular expression denial-of-service, where the Node.js event loop is blocked, causing the Parse Server to become unresponsive and disrupting service for all clients.

Remediation

To address this vulnerability, users can update to Parse Server versions 9.5.0-alpha.14 or 8.6.11, where the issue has been patched. For those using version 9.5.0-alpha.14, the regex evaluation in LiveQuery subscriptions now runs in an isolated virtual machine context with a default timeout of 100 milliseconds. This timeout can be adjusted through the 'liveQuery.regexTimeout' option. Alternatively, the 'beforeSubscribe' Cloud Code hook can be used to reject LiveQuery subscriptions that contain a $regex operator, although this will also block 'startsWith', 'endsWith', and 'contains' query methods that rely on $regex.