parse-server has cloud function validator bypass via prototype chain traversal

Description

An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.67

  >= 9.0.0, < 9.7.0-alpha.11**

• Patched version(s): **8.6.67

  9.7.0-alpha.11**

References

• GHSA-vpj2-qq7w-5qq6
• CVE-2026-34532
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
• Parse Server's Cloud function dispatch crashes server via prototype chain traversal - CVE-2026-32886
• Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
• Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:

npm

parse-server