PT-2026-25986 · Npm · Parse Server
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-32886
CVSS v4.0
8.2
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Impact
Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.
Patches
The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.
Workarounds
There is no known workaround.
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server