Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Description

The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 9.0.0-alpha.1, < 9.5.1-alpha.1

  < 8.6.12**

• Patched version(s): **9.5.1-alpha.1

  8.6.12**

References

• GHSA-q342-9w2p-57fp
• CVE-2026-30938
• CWE-693
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
• Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966
• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
• Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595

You might also like:

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

parse-server