Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Parse Server Crash with Unauthenticated Attack
GHSA-5j86-7r7m-p8h6
CVE-2026-30939
GHSA-5j86-7r7m-p8h6
CVE-2026-30939
Summary
An attacker can crash the Parse Server backend without a password, causing it to stop working. This affects all Parse Server deployments that allow access to the Cloud Function endpoint. To fix this, update to version 8.6.13 or 9.5.1-alpha.2.
What to do
- Update parse-server to version 8.6.13.
- Update parse-server to version 9.5.1-alpha.2.
- Update parse to version 9.5.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | parse-server | <= 8.6.13 | 8.6.13 |
| – | parse-server | > 9.0.0-alpha.1 , <= 9.5.1-alpha.2 | 9.5.1-alpha.2 |
| parseplatform | parse-server | <= 8.6.13 | – |
| parseplatform | parse-server | > 9.0.0 , <= 9.5.1 | – |
| parseplatform | parse-server | 9.5.1 | – |
| – | parse | > 9.0.0 , <= 9.5.1 | 9.5.1 |
Original title
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
Original description
### Impact
An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process.
Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal.
All Parse Server deployments that expose the Cloud Function endpoint are affected.
### Patches
The internal handler registries for Cloud Functions, Jobs, Triggers, and Validators have been changed to prevent prototype chain properties from being resolved.
### Workarounds
Place a reverse proxy or WAF in front of Parse Server and block requests to `Object.prototype` property names.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.13
An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process.
Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal.
All Parse Server deployments that expose the Cloud Function endpoint are affected.
### Patches
The internal handler registries for Cloud Functions, Jobs, Triggers, and Validators have been changed to prevent prototype chain properties from being resolved.
### Workarounds
Place a reverse proxy or WAF in front of Parse Server and block requests to `Object.prototype` property names.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.13
ghsa CVSS4.0
8.8
Vulnerability type
CWE-1321
Prototype Pollution
- https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r...
- https://github.com/parse-community/parse-server/releases/tag/8.6.13
- https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2
- https://github.com/advisories/GHSA-5j86-7r7m-p8h6
- https://github.com/parse-community/parse-server Product
- https://nvd.nist.gov/vuln/detail/CVE-2026-30939
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30939... Vendor Advisory
Published: 10 Mar 2026 · Updated: 14 Mar 2026 · First seen: 10 Mar 2026