Parse Server, an open‑source Node.js backend, has a flaw that lets a remote caller crash the server process. By sending a cloud function request with a crafted function name that walks up the JavaScript prototype chain of the registered cloud‑function handlers, the code triggers a stack overflow, causing the server to terminate unexpectedly. This condition maps to the prototype chain traversal weakness (CWE‑1321) and results in a denial‑of‑service impact.

The vulnerability affects parse-community:parse-server on all releases prior to version 9.6.0‑alpha.24 and 8.6.47. Any deployment of Parse Server that is running one of the listed CPEs (e.g., 9.6.0‑alpha.1 through alpha.23, 8.6.x prior to 8.6.47, or any of the alpha pre‑releases in the provided list) is susceptible. These installations can be hosted on any infrastructure that can run Node.js.

The CVSS score of 8.2 classifies this as a high‑severity vulnerability, while the EPSS score of less than 1% indicates a low probability of active exploitation today. It is not included in the CISA KEV catalog. The attack vector is remote: a client can trigger the crash by invoking the cloud‑function endpoint with an inappropriate function name. Consequently, while the impact on availability is substantial, the overall current risk level may be moderate due to the low exploitation likelihood, but the lack of a workaround makes timely patching essential.