Parse Server Denial-of-Service Vulnerability via Prototype Property Cloud Function Bypass

A denial-of-service vulnerability has been identified in Parse Server versions prior to 8.6.13 and 9.0.0 through 9.5.1-alpha.2. An unauthenticated attacker can exploit this vulnerability by calling a Cloud Function endpoint with a prototype property name as the function name. This causes the server to recurse infinitely, leading to a call stack size error that crashes the Parse Server process. Additionally, other prototype property names can bypass Cloud Function dispatch validation, returning HTTP 200 responses despite the absence of defined Cloud Functions. This issue also affects dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are vulnerable.

Impact

Exploitation of this vulnerability causes a high-severity denial-of-service condition, crashing the Parse Server process.

Remediation

Users can upgrade to Parse Server versions 8.6.13 or 9.5.1-alpha.2, both of which include the necessary patch. For those unable to upgrade, placing a reverse proxy or web application firewall in front of Parse Server to block requests containing prototype property names can serve as a temporary workaround.