CVE-2026-30972
Published: 10 March 2026
Summary
CVE-2026-30972 is a high-severity Improper Control of Interaction Frequency (CWE-799) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The control requires defining frequency, timing, and approval for security interactions, directly addressing uncontrolled interaction rates.
Allocation policies inherently restrict interaction frequency, reducing the impact of excessive requests.
Spam protection explicitly controls interaction frequency by detecting and acting on bulk unsolicited messages from external sources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Rate-limit bypass in public-facing Parse Server enables unauthenticated remote exploitation (T1190) to perform high-volume request flooding for resource exhaustion DoS (T1498.001 direct flood and T1499.004 application exploitation).
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint…
more
(/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.
Deeper analysisAI
CVE-2026-30972 is a rate limiting bypass vulnerability in Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 9.5.2-alpha.10 and 8.6.23, the rate limiting middleware operates at the Express middleware layer, but the /batch endpoint processes sub-requests internally through the Promise router. This routing bypasses Express middleware, including rate limiting, allowing attackers to bundle multiple requests targeting a rate-limited endpoint into a single batch request. Deployments relying on Parse Server's built-in rate limiting feature are affected, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-799 (Resource Management Errors).
Unauthenticated remote attackers can exploit this vulnerability by crafting a batch request that encapsulates numerous sub-requests to rate-limited endpoints, effectively circumventing configured rate limits. This enables excessive request volumes in a single HTTP call, potentially overwhelming server resources and causing denial of service through resource exhaustion, as indicated by the high availability impact in the CVSS score.
The Parse community addressed this in releases 8.6.23 and 9.5.2-alpha.10, with details available in the GitHub security advisory GHSA-775h-3xrc-c228 and corresponding release notes. Security practitioners should upgrade to these fixed versions and review configurations relying on built-in rate limiting, considering additional server-level protections like external rate limiters.
Details
- CWE(s)