Parse Server allows an attacker to bypass Cloud Function validators by appending "prototype.constructor" to a function name in the request URL before version 8.6.67 and 9.7.0‑alpha.11. The flaw arises because the handler resolution follows the object’s prototype chain while the validator resolution does not, letting a malicious request reach a protected function without executing its validation logic. The result is that code intended to run only for authenticated or privileged callers is executed as the application process, potentially exposing sensitive data or enabling further attacks. This bug represents a severe breach of integrity and confidentiality controls. The stated weakness corresponds to CWE-863.

Any deployment of the open‑source Parse Server with a Node.js runtime that uses an unpatched version of the parse-server module before 8.6.67 or 9.7.0‑alpha.11 is susceptible. The CPE records cover the 9.7.0‑alpha1 through alpha10 revisions, and earlier releases lack the patch that fixes the prototype traversal mismatch. Organizations running earlier releases should inventory their deployments and plan an upgrade to a supported version. The vulnerability surfaces in all environments where Cloud Functions are enabled with validators defined as plain objects or arrow functions.

The CVSS base score of 9.1 signals critical severity, reflecting a complete bypass of application‑level access controls. The EPSS score of less than 1% indicates that exploitation is currently uncommon, but the flaw remains exploitable in any exposed instance. No additional privileges or local access are required; a craftable HTTP request to the vulnerable endpoint is sufficient. Once the prototype chain is exploited, all validator checks are skipped and the malicious code runs with the same permissions as the Parse Server process, potentially leading to data disclosure or further lateral movement within the application. The vulnerability is not listed in the CISA KEV catalog, but its critical nature warrants immediate remediation.