CVE-2026-30939
Received Received - Intake
Infinite Recursion Crash in Parse Server Cloud Functions

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30939
EUVD
EUVD-2026-10549
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
parseplatform parse-server to 8.6.13 (exc)
parseplatform parse-server From 9.0.0 (inc) to 9.5.1 (exc)
parseplatform parse-server 9.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 8.6.13 or later, or 9.5.1-alpha.2 or later, where the issue is fixed.

Ensure that your Cloud Function endpoint is not exposed to unauthenticated users until the upgrade is applied, as the vulnerability allows unauthenticated attackers to crash the server.

Executive Summary

This vulnerability affects Parse Server, an open source backend for Node.js. Before versions 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker could crash the Parse Server by calling a Cloud Function endpoint using a prototype property name as the function name. This causes the server to recurse infinitely, leading to a call stack size error that terminates the process.

Additionally, using other prototype property names or dot-notation traversal can bypass Cloud Function dispatch validation, causing the server to return HTTP 200 responses even though no such Cloud Functions exist.

All Parse Server deployments exposing the Cloud Function endpoint are affected by this issue.

Impact Analysis

The vulnerability allows an unauthenticated attacker to crash the Parse Server process, causing a denial of service by terminating the server unexpectedly.

Furthermore, the bypass of Cloud Function dispatch validation may lead to unexpected behavior or confusion, as the server returns successful HTTP 200 responses for undefined functions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart