Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.
Published: 2026-03-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via infinite recursion and dispatch bypass
Action: Apply Patch
AI Analysis

Impact

Parse Server, an open source Node.js backend, permits unauthenticated users to trigger a crash by invoking a Cloud Function endpoint with a prototype property name as the function argument. The server enters an infinite recursion during prototype chain resolution, which eventually causes a stack overflow and terminates the process. Additionally, requesting Cloud Function names that are prototype properties or contain dot notation bypasses dispatch validation, returning a misleading HTTP 200 response even when the function does not exist. The weakness is a flaw in prototype chain handling, identified as CWE‑1321.

Affected Systems

This vulnerability applies to all Parse Server installations that expose the Cloud Function endpoint, specifically versions earlier than 8.6.13 and 9.5.1‑alpha.2. Administrators should review the version they run; the issue is resolved in the 8.6.13 release and the 9.5.1‑alpha.2 release. The affected product is the Parse Server open source backend for Node.js platforms.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% implies a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated HTTP request to the Cloud Function API; no privileged access or local code execution is needed. A successful exploit results in a service crash or unauthorized exposure of function responses, leading to denial of service and potential confusion for users of the affected system.

Generated by OpenCVE AI on April 17, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 8.6.13 or later, or to 9.5.1‑alpha.2 or later, where the prototype chain resolution bug is fixed.
  • Limit access to the Cloud Function endpoint by enforcing authentication or applying firewall rules to restrict unauthenticated traffic.
  • Restart the Parse Server process after upgrading or reconfiguring.
  • Monitor application logs for signs of repeated crashes or unexpected 200 responses to undefined function names.

Generated by OpenCVE AI on April 17, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5j86-7r7m-p8h6 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
History

Wed, 11 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.1:alpha1:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.
Title Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:01:15.854Z

Reserved: 2026-03-07T17:34:39.978Z

Link: CVE-2026-30939

cve-icon Vulnrichment

Updated: 2026-03-10T16:57:31.776Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:53.780

Modified: 2026-03-11T19:51:33.597

Link: CVE-2026-30939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses