CVE-2026-30939

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.13 Parse Server versions prior to 9.5.1-alpha.2

Description An unauthenticated attacker can cause a denial of service by crashing the Parse Server process. This occurs by calling a Cloud Function endpoint with a prototype property name as the function name, leading to infinite recursion and a call stack size error. Additionally, prototype property names bypass Cloud Function dispatch validation, resulting in HTTP 200 responses even when no corresponding Cloud Functions are defined. This also applies to dot-notation traversal. The vulnerability affects all Parse Server deployments exposing the Cloud Function endpoint. The issue involves the internal handler registries for Cloud Functions, Jobs, Triggers, and Validators, which previously allowed prototype chain properties to be resolved.

Recommendations Versions prior to 8.6.13 should be updated to version 8.6.13. Versions prior to 9.5.1-alpha.2 should be updated to version 9.5.1-alpha.2. As a temporary workaround, consider placing a reverse proxy or Web Application Firewall (WAF) in front of Parse Server and blocking requests to Object.prototype property names.