Primary

Context

Parse Server Prototype Pollution Vulnerability Allowing Schema Poisoning

Vulnerability

Patched

A vulnerability in Parse Server versions 9.0.0 prior to 9.6.0-alpha.20 and 8.6.0 prior to 8.6.44 allows attackers to bypass default request keyword denylist protections and class-level permissions for adding fields. This is achieved by exploiting prototype pollution in the third-party deep copy library, which is used to process requests. The exploitation enables the injection of fields into class schemas that restrict field additions, leading to permanent schema type conflicts that cannot be resolved, even with the master key.

Impact

Exploitation of this vulnerability allows for schema poisoning by injecting fields into restricted class schemas, causing irreversible schema type conflicts.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.20 or 8.6.44, where this vulnerability has been patched.

Added: Mar 18, 2026, 10:25 PM

Updated: Mar 18, 2026, 10:25 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.8

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

6.8

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server Prototype Pollution Vulnerability Allowing Schema Poisoning

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating