CVE-2026-30972
Rate Limit Bypass in Parse Server Batch Endpoint
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | 9.5.2 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.5.2 (exc) |
| parseplatform | parse-server | to 8.6.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-799 | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23. The issue is that the rate limiting middleware, which is supposed to limit the number of requests a client can make, is applied at the Express middleware layer. However, the batch request endpoint (/batch) processes multiple sub-requests internally by routing them directly through the Promise router, bypassing the Express middleware including the rate limiting feature.
As a result, an attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request, effectively circumventing the configured rate limit.
Any Parse Server deployment that relies on the built-in rate limiting feature is affected by this vulnerability.
How can this vulnerability impact me? :
This vulnerability allows attackers to bypass rate limiting controls by sending multiple requests within a single batch request. This can lead to excessive usage of server resources, potentially causing denial of service or degraded performance.
It may also enable attackers to perform brute force attacks or abuse APIs that are supposed to be rate limited, increasing the risk of unauthorized access or data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Parse Server deployment to version 9.5.2-alpha.10 or later, or 8.6.23 or later, where the issue has been fixed.
This update ensures that the rate limiting middleware is properly applied to batch requests, preventing attackers from bypassing rate limits by bundling multiple requests.