Cyber Resilience

CVE-2026-30972

Medium

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 19.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30972 is a medium-severity Improper Control of Interaction Frequency (CWE-799) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30972 is a rate limiting bypass vulnerability in Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 9.5.2-alpha.10 and 8.6.23, the rate limiting middleware operates at the Express middleware layer, but the /batch endpoint processes sub-requests internally through the Promise router. This routing bypasses Express middleware, including rate limiting, allowing attackers to bundle multiple requests targeting a rate-limited endpoint into a single batch request. Deployments relying on Parse Server's built-in rate limiting feature are affected, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-799 (Resource Management Errors).

Unauthenticated remote attackers can exploit this vulnerability by crafting a batch request that encapsulates numerous sub-requests to rate-limited endpoints, effectively circumventing configured rate limits. This enables excessive request volumes in a single HTTP call, potentially overwhelming server resources and causing denial of service through resource exhaustion, as indicated by the high availability impact in the CVSS score.

The Parse community addressed this in releases 8.6.23 and 9.5.2-alpha.10, with details available in the GitHub security advisory GHSA-775h-3xrc-c228 and corresponding release notes. Security practitioners should upgrade to these fixed versions and review configurations relying on built-in rate limiting, considering additional server-level protections like external rate limiters.

EU & UK References

Vulnerability details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint…

more

(/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1498.001 Direct Network Flood Impact
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Rate-limit bypass in public-facing Parse Server enables unauthenticated remote exploitation (T1190) to perform high-volume request flooding for resource exhaustion DoS (T1498.001 direct flood and T1499.004 application exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30946Same product: Parseplatform Parse-Server
CVE-2026-33508Same product: Parseplatform Parse-Server
CVE-2026-30939Same product: Parseplatform Parse-Server
CVE-2026-34784Same product: Parseplatform Parse-Server
CVE-2026-34573Same product: Parseplatform Parse-Server
CVE-2026-33538Same product: Parseplatform Parse-Server
CVE-2026-32098Same product: Parseplatform Parse-Server
CVE-2026-32878Same product: Parseplatform Parse-Server
CVE-2026-32594Same product: Parseplatform Parse-Server
CVE-2026-32944Same product: Parseplatform Parse-Server

Affected Assets

parseplatform
parse-server
9.5.2 · ≤ 8.6.23 · 9.0.0 — 9.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of Parse Server to versions 9.5.2-alpha.10 or 8.6.23, directly eliminating the rate limiting bypass vulnerability.

prevent

Denial-of-service protection implements system-level rate limiting to prevent resource exhaustion from batched sub-requests bypassing application middleware.

prevent

Boundary protection enforces external rate limiting via proxies or WAFs, mitigating application-level bypasses in the /batch endpoint.

References