Cyber Resilience

CVE-2026-30939

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30939 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30939 affects Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 8.6.13 and 9.5.1-alpha.2, the vulnerability allows an unauthenticated attacker to crash the Parse Server process by invoking the Cloud Function endpoint with a prototype property name as the function name, triggering infinite recursion and a call stack size error that terminates the process. Additionally, other prototype property names or dot-notation traversal can bypass Cloud Function dispatch validation, resulting in HTTP 200 responses for undefined functions. All deployments exposing the Cloud Function endpoint are vulnerable, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

An unauthenticated remote attacker can exploit this over the network with low complexity and no privileges required. By sending a crafted request to the Cloud Function endpoint using specific prototype property names, the attacker induces a denial-of-service condition via process crash. Alternatively, using other prototype properties or dot-notation, the attacker bypasses validation to elicit misleading HTTP 200 responses, potentially aiding further reconnaissance or chaining attacks, though no direct confidentiality or integrity impact is present.

The Parse community advisories recommend upgrading to Parse Server 8.6.13 or 9.5.1-alpha.2, where the issue is fixed. Details are available in the GitHub security advisory GHSA-5j86-7r7m-p8h6 and release notes for the patched versions at https://github.com/parse-community/parse-server/releases/tag/8.6.13 and https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a…

more

prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated remote exploitation of the exposed Cloud Function endpoint via crafted prototype-pollution requests directly enables initial access through public-facing application exploitation (T1190) and causes process crash/DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32878Same product: Parseplatform Parse-Server
CVE-2026-32886Same product: Parseplatform Parse-Server
CVE-2026-30946Same product: Parseplatform Parse-Server
CVE-2026-33508Same product: Parseplatform Parse-Server
CVE-2026-30972Same product: Parseplatform Parse-Server
CVE-2026-30947Same product: Parseplatform Parse-Server
CVE-2026-32770Same product: Parseplatform Parse-Server
CVE-2026-33498Same product: Parseplatform Parse-Server
CVE-2026-34573Same product: Parseplatform Parse-Server
CVE-2026-33538Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.5.1 · ≤ 8.6.13 · 9.0.0 — 9.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the prototype pollution vulnerability by requiring timely patching to Parse Server versions 8.6.13 or 9.5.1-alpha.2, eliminating infinite recursion and validation bypass.

prevent

Prevents exploitation by enforcing validation and sanitization of Cloud Function endpoint inputs to reject prototype property names and dot-notation traversals that trigger recursion or bypass dispatch checks.

prevent

Mitigates denial-of-service crashes from unauthenticated crafted requests by implementing protections such as rate limiting or resource quotas on the Cloud Function endpoint.

References