Skip to main content

Prototype Pollution CVE-2026-32886

HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-03-17 https://github.com/parse-community/parse-server GHSA-4263-jgmp-7pf4
Denial Of Service Prototype Pollution
Share

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 17:58 nvd
HIGH

DescriptionNVD

Impact

Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.

Patches

The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.

Workarounds

There is no known workaround.

AnalysisAI

Parse Server is vulnerable to denial of service when remote attackers craft malicious cloud function names that exploit prototype chain traversal, allowing them to trigger stack overflows and crash the server process. The vulnerability stems from improper property lookup restrictions during function name resolution. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all Parse Server instances and cloud function endpoints; assess exposure to external/untrusted traffic. Within 7 days: Apply available vendor patch to all affected Parse Server deployments in non-production environments and validate functionality. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-32886 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy