CVE-2026-30939
HIGH
GHSA-5j86-7r7m-p8h6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.
Analysis
Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Parse Server instances and confirm affected versions. Within 7 days: Apply vendor patches (upgrade to 8.6.13 or 9.5.1-alpha.2 or later) to all production and non-production environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today