Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.5

Parse Server allows attackers to bypass rate limits

CVE-2026-30972 GHSA-775h-3xrc-c228 GHSA-775h-3xrc-c228
Summary

Parse Server's rate limiting feature can be bypassed by bundling multiple requests into a single batch request. This affects any deployment that relies on built-in rate limiting. To protect your server, consider using a reverse proxy or web application firewall to enforce rate limiting before requests reach Parse Server.

What to do
  • Update parse-server to version 9.5.2-alpha.10.
  • Update parse-server to version 8.6.23.
  • Update parse to version 9.5.2.
Affected software
VendorProductAffected versionsFix available
parse-server > 9.0.0-alpha.1 , <= 9.5.2-alpha.10 9.5.2-alpha.10
parse-server <= 8.6.23 8.6.23
parseplatform parse-server <= 8.6.23
parseplatform parse-server > 9.0.0 , <= 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parse > 9.0.0 , <= 9.5.2 9.5.2
Original title
Parse Server has a rate limit bypass via batch request endpoint
Original description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.
nvd CVSS4.0 6.9
Vulnerability type
CWE-799
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026