parse-server has cloud function validator bypass via prototype chain traversal

Description

An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.67

  >= 9.0.0, < 9.7.0-alpha.11**

• Patched version(s): **8.6.67

  9.7.0-alpha.11**

References

• GHSA-vpj2-qq7w-5qq6
• CVE-2026-34532
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
• Parse Server's Cloud function dispatch crashes server via prototype chain traversal - CVE-2026-32886
• Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966
• Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:

npm

parse-server