Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.
Published: 2026-03-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Rate Limit Bypass leading to resource exhaustion and potential denial of service
Action: Patch Now
AI Analysis

Impact

Parse Server’s rate limiting middleware is applied only at the Express middleware layer, but the /batch endpoint processes sub‑requests directly through the Promise router, bypassing that layer. An attacker can therefore bundle multiple requests that would normally be rate‑limited into a single batch request, circumventing the configured limits. This improper restriction of resources flaw can cause denial of service by exhausting CPU, memory or network bandwidth. The vulnerability does not provide direct code execution or data exposure.

Affected Systems

All unpatched deployments of Parse Server older than 9.5.2‑alpha.10 and 8.6.23, including every alpha release from 9.5.2‑alpha.1 through alpha.9, are affected. The issue applies to every instance of the open source Parse Server that runs on Node.js and uses the built‑in rate limiting feature.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. An EPSS of less than 1% signals a low but non‑zero likelihood of exploitation in the near term, and the vulnerability is not listed in the CISA known exploited vulnerabilities catalog, meaning no active publicly known exploits have been reported. The flaw can be exploited by any client that has permission to submit batch requests, allowing an attacker to flood the server with a high volume of batched requests and potentially bring the service down. The risk is amplified in high‑traffic or publicly exposed environments.

Generated by OpenCVE AI on April 16, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.2‑alpha.10 or 8.6.23, where the rate limiting is applied to batch requests.
  • If an upgrade cannot be performed immediately, temporarily disable the /batch endpoint or replace it with a custom implementation that enforces rate limits on each sub‑request.
  • Monitor for unusually large batch payloads or sudden increases in request volume and apply network or API gateway throttling or blocking rules as needed.

Generated by OpenCVE AI on April 16, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-775h-3xrc-c228 Parse Server has a rate limit bypass via batch request endpoint
History

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.
Title Parse Server has a rate limit bypass via batch request endpoint
Weaknesses CWE-799
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T16:00:44.344Z

Reserved: 2026-03-07T17:53:48.815Z

Link: CVE-2026-30972

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:45.812Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:49.517

Modified: 2026-03-11T18:42:38.490

Link: CVE-2026-30972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses