CVE-2026-30939
Published: 10 March 2026
Summary
CVE-2026-30939 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of the exposed Cloud Function endpoint via crafted prototype-pollution requests directly enables initial access through public-facing application exploitation (T1190) and causes process crash/DoS via application exploitation (T1499.004).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a…
more
prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.
Deeper analysisAI
CVE-2026-30939 affects Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 8.6.13 and 9.5.1-alpha.2, the vulnerability allows an unauthenticated attacker to crash the Parse Server process by invoking the Cloud Function endpoint with a prototype property name as the function name, triggering infinite recursion and a call stack size error that terminates the process. Additionally, other prototype property names or dot-notation traversal can bypass Cloud Function dispatch validation, resulting in HTTP 200 responses for undefined functions. All deployments exposing the Cloud Function endpoint are vulnerable, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
An unauthenticated remote attacker can exploit this over the network with low complexity and no privileges required. By sending a crafted request to the Cloud Function endpoint using specific prototype property names, the attacker induces a denial-of-service condition via process crash. Alternatively, using other prototype properties or dot-notation, the attacker bypasses validation to elicit misleading HTTP 200 responses, potentially aiding further reconnaissance or chaining attacks, though no direct confidentiality or integrity impact is present.
The Parse community advisories recommend upgrading to Parse Server 8.6.13 or 9.5.1-alpha.2, where the issue is fixed. Details are available in the GitHub security advisory GHSA-5j86-7r7m-p8h6 and release notes for the patched versions at https://github.com/parse-community/parse-server/releases/tag/8.6.13 and https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2.
Details
- CWE(s)