Parse Server LiveQuery Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Parse Server versions prior to 9.6.0-alpha.19 and 8.6.43. The issue arises when a remote attacker subscribes to a LiveQuery using an invalid regular expression pattern. This causes the server process to crash as the invalid pattern is processed by the regex engine during subscription matching, disrupting service for all connected clients. The vulnerability has been addressed in versions 9.6.0-alpha.19 and 8.6.43 by implementing pattern validation at subscription time, rejecting invalid patterns before they can be stored. Additionally, a try-catch mechanism has been introduced to prevent subscription matching errors from terminating the server process. As a temporary measure, LiveQuery can be disabled if not needed.

Impact

Exploitation of this vulnerability leads to a server crash, causing a denial-of-service condition for all connected clients.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.19 or 8.6.43, where this vulnerability has been patched. If an immediate upgrade is not possible, LiveQuery can be disabled as a workaround.