PT-2026-25986 · Unknown · Parse Server
Fancymalware
·
Publicado
2026-03-17
·
Atualizado
2026-03-20
·
CVE-2026-32886
CVSS v4.0
8.2
Alta
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server versions prior to 9.6.0-alpha.24
Parse Server versions prior to 8.6.47
Description
Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name. This crafted name traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The issue affects Parse Server, an open source backend deployable on Node.js infrastructures. The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. The vulnerable component is the cloud function handler. The attack is performed by calling a cloud function endpoint with a crafted function name.
Recommendations
Update Parse Server to version 9.6.0-alpha.24 or later.
Update Parse Server to version 8.6.47 or later.
Exploit
Correção
DoS
Prototype Pollution
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Parse Server