CVE-2026-30972

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/releases/tag/8.6.23	Product Release Notes
https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10	Product Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9::::node.js::*

History

No history.

Information

Published : 2026-03-10 21:16

Updated : 2026-03-11 18:42

NVD link : CVE-2026-30972

Mitre link : CVE-2026-30972

CVE.ORG link : CVE-2026-30972

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-799

Improper Control of Interaction Frequency

{"id": "CVE-2026-30972", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T21:16:49.517", "references": [{"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-799"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.10 y 8.6.23, el middleware de limitaci\u00f3n de tasa de Parse Server se aplica en la capa de middleware de Express, pero el endpoint de solicitudes por lotes (/batch) procesa sub-solicitudes internamente enrut\u00e1ndolas directamente a trav\u00e9s del router Promise, eludiendo el middleware de Express, incluida la limitaci\u00f3n de tasa. Un atacante puede agrupar m\u00faltiples solicitudes dirigidas a un endpoint con limitaci\u00f3n de tasa en una \u00fanica solicitud por lotes para eludir el l\u00edmite de tasa configurado. Cualquier despliegue de Parse Server que dependa de la funci\u00f3n de limitaci\u00f3n de tasa incorporada se ve afectado. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.10 y 8.6.23."}], "lastModified": "2026-03-11T18:42:38.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CAF60FF9-05C1-4C9E-BDD4-53CA8C27526D", "versionEndExcluding": "8.6.23"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D", "versionEndExcluding": "9.5.2", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "601B2CF1-D29A-42CC-8405-185C1A8E1EB2"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BC9F2B9D-026F-454B-B565-05AA441FA54F"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FDDB20F1-F6A7-4B1E-B075-CC250613D826"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CA14D0B7-B952-4C4E-B271-3EBB51C03E9C"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "19B7C5A9-B59A-4A47-B4F0-13C7C796B496"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0E619B8B-BC91-4F71-B84D-52E563AB8E03"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6C9DB980-4201-43D3-B019-2A6B325B896E"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}