Parse Server, DoS/Bypass, CVE-2026-30939 (High)

Listen to this Post

The vulnerability, assigned CVE-2026-30939, resides in how Parse Server resolves Cloud Function names. When a request is made to a Cloud Function endpoint, the server attempts to look up the function handler from a registry object using the name provided in the request. By sending a crafted function name that includes prototype property names (like `__proto__` or constructor) or uses dot-notation traversal (e.g., __proto__.toString), an attacker can force the server to traverse up the JavaScript prototype chain. This occurs because the lookup logic does not restrict resolution to the object’s own properties. The recursive nature of this prototype chain traversal leads to an infinite loop, rapidly consuming all available stack space and causing a fatal call stack size error. This error terminates the Node.js process, resulting in a complete Denial of Service (DoS). Additionally, other prototype property names may not cause a crash but instead bypass dispatch validation, returning HTTP 200 responses for non-existent functions .

dailycve form:

Platform: Parse Server
Version: <8.6.13, 9.0.0-9.5.1-alpha.2
Vulnerability : DoS/Bypass
Severity: High (7.5)
Date: March 10, 2026

Prediction: Patch already available

What Undercode Say:

Analytics

The vulnerability exploits the dynamic nature of JavaScript’s prototype chain. Parse Server maintains internal registries for Cloud Functions. The vulnerable code path lacked a check to ensure that only the object’s own properties were accessed. By providing a function name that corresponds to a property on Object.prototype, the `get` operation triggered a recursive lookup. The fix implemented in versions `8.6.13` and `9.5.1-alpha.2` changes the registry access to use `Object.prototype.hasOwnProperty.call()` or similar mechanisms, ensuring that lookups are scoped to the direct properties of the handler object and do not walk the prototype chain .

Bash/Code Examples

Check your current Parse Server version:

npm list parse-server
or
grep '"version":' node_modules/parse-server/package.json

Simulate the vulnerable function lookup (Conceptual Code):

// Vulnerable simulation
function getFunction(handlerRegistry, functionName) {
// No check for own property, allows prototype traversal
return handlerRegistry[bash];
}
// Patched simulation
function getFunctionPatched(handlerRegistry, functionName) {
if (Object.prototype.hasOwnProperty.call(handlerRegistry, functionName)) {
return handlerRegistry[bash];
}
return undefined;
}

Update to a patched version using npm:

For stable v8 branch
npm install [email protected]
For v9 alpha branch
npm install [email protected]

How Exploit

An attacker can send a crafted HTTP request to the Cloud Functions endpoint. No authentication is required. The request targets a route like /functions/<crafted_name>.

Exploit Payload Example:

POST /functions/<strong>proto</strong> HTTP/1.1
Host: target.parse-server.com
X-Parse-Application-Id: YOUR_APP_ID
Content-Type: application/json
{}

If the server is vulnerable, processing this request will cause an infinite recursion, leading to a `RangeError: Maximum call stack size exceeded` and crashing the Node.js process .

Protection from this CVE

  1. Immediate Patching: Upgrade Parse Server to version `8.6.13` (for the v8 line) or `9.5.1-alpha.2` (for the v9 line) or later .
  2. Workaround (If Patching is Delayed): Place a reverse proxy or Web Application Firewall (WAF) in front of Parse Server. Configure rules to block requests to the `/functions` endpoint where the function name matches known prototype property names (e.g., __proto__, constructor, prototype) or contains dot-notation (e.g., __proto__.toString) .

Impact

  • Availability: A remote, unauthenticated attacker can crash the server process, causing a complete Denial of Service (DoS) for all users relying on the backend.
  • Security Bypass: Some prototype property names may not crash the server but instead bypass Cloud Function dispatch, returning misleading HTTP 200 responses and potentially allowing attackers to probe the server’s internal structure .
  • Service Disruption: The crash requires manual intervention to restart the Parse Server process, leading to significant downtime.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top