Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
- Severity:
- High
Description
An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0-alpha.1, < 9.5.1-alpha.2 < 8.6.13** Patched version(s): **9.5.1-alpha.2 8.6.13**
References
Related Issues
- Parse Server's Cloud function dispatch crashes server via prototype chain traversal - CVE-2026-32886
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 10, 2026