Parse Server Rate Limiting Bypass Vulnerability via Batch Requests

A vulnerability in Parse Server prior to versions 9.5.2-alpha.10 and 8.6.23 allows for bypassing rate limits on certain endpoints. The issue arises because the batch request endpoint processes sub-requests through the Promise router, bypassing the Express middleware where rate limiting is applied. This allows an attacker to combine multiple requests targeting a rate-limited endpoint into a single batch request, effectively circumventing the rate limit. Any deployment of Parse Server that uses the built-in rate limiting feature is vulnerable.

Impact

Exploiting this vulnerability can lead to a bypass of rate limiting, allowing for an increased number of requests to be sent to a rate-limited endpoint in a shorter period of time.

Remediation

Users can upgrade to Parse Server versions 9.5.2-alpha.10 or 8.6.23, where this vulnerability has been patched. For those using earlier versions, a reverse proxy or web application firewall (WAF) can be implemented to enforce rate limiting before requests reach the Parse Server.