BIT-PARSE-2026-32770 Parse Server: LiveQuery subscription with invalid regular expression crashes server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid...

PT-2026-26759

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.53 Parse Server versions prior to 9.6.0-alpha.42 Description Parse Server’s LiveQuery WebSocket interface did not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields...

PT-2026-26791

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.56 Parse Server versions prior to 9.6.0-alpha.45 Description Parse Server’s LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

PT-2026-26760

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.54 Parse Server versions prior to 9.6.0-alpha.43 Description Parse Server contains a flaw where an attacker can subscribe to LiveQuery using a watch parameter that targets a protected field. While the actual...

CVE-2026-33163

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

CVE-2026-33163

Summary: CVE-2026-33163 affects Parse Server’s LiveQuery afterEvent trigger. Before versions 9.6.0-alpha.35 and 8.6.50, when a class has a Parse.Cloud.afterLiveQueryEvent trigger, the LiveQuery event payload could leak protected fields and authData to subscribers of that class. The leak stems fro...

CVE-2026-32770 Parse Server: LiveQuery subscription with invalid regular expression crashes server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...

CVE-2026-32770 Parse Server: LiveQuery subscription with invalid regular expression crashes server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...

CVE-2026-32770

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...

EUVD-2026-12994

Parse Server leaks protected fields via LiveQuery afterEvent trigger...

Parse Server leaks protected fields via LiveQuery afterEvent trigger

Impact When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions protectedFields are included in LiveQuery event payloads for all...

Parse Server 信息泄露漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.35 and 8.6.50 contained a vulnerability related to information leakage. This vulnerability stemmed from the LiveQuery...

Parse Server LiveQuery subscription with invalid regular expression crashes server

Impact A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. Patches...

Improper Validation of Syntactic Correctness of Input

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the LiveQuery subscription when an invalid regular expression patte...

PT-2026-25984

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...

BIT-PARSE-2026-30947 Parse Server ha a bypass of class-level permissions in LiveQuery

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.16, class-level permissions CLP are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and...

BIT-PARSE-2026-30925 Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the...

EUVD-2026-11340

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause...

GHSA-J7MM-F4RV-6Q6Q Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Impact An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field including via dot-notation or $regex, the attacker can observe whether LiveQuery events are delivere...