CVE-2026-30972
Received Received - Intake
Rate Limit Bypass in Parse Server Batch Endpoint

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30972
EUVD
EUVD-2026-10886
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23. The issue is that the rate limiting middleware, which is supposed to limit the number of requests a client can make, is applied at the Express middleware layer. However, the batch request endpoint (/batch) processes multiple sub-requests internally by routing them directly through the Promise router, bypassing the Express middleware including the rate limiting feature.

As a result, an attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request, effectively circumventing the configured rate limit.

Any Parse Server deployment that relies on the built-in rate limiting feature is affected by this vulnerability.

Impact Analysis

This vulnerability allows attackers to bypass rate limiting controls by sending multiple requests within a single batch request. This can lead to excessive usage of server resources, potentially causing denial of service or degraded performance.

It may also enable attackers to perform brute force attacks or abuse APIs that are supposed to be rate limited, increasing the risk of unauthorized access or data exposure.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.10 or later, or 8.6.23 or later, where the issue has been fixed.

This update ensures that the rate limiting middleware is properly applied to batch requests, preventing attackers from bypassing rate limits by bundling multiple requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30972. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart