Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: b321423
Author: Manuel
Date: 2026-03-14T15:01:04Z
Commit Message
fix: Schema poisoning via prototype pollution in deep copy ([GHSA-9ccr-fpp6-78qf](https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf)) (#10200)
Pull Request
PR: #10200 - fix: Schema poisoning via prototype pollution in deep copy (GHSA-9ccr-fpp6-78qf)
Labels: state:released-alpha
Description:
Issue
Schema poisoning via prototype pollution in deep copy ([GHSA-9ccr-fpp6-78qf](GHSA-9ccr-fpp6-78qf))
Tasks
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
- Chores
- Removed external deep-copy dependency and migrated to native JavaScript object cloning functionality, improving performance and red...
Analysis
Vulnerability Type: Prototype Pollution
Severity: High
Description
This patch fixes a prototype pollution vulnerability where malicious input containing the proto property could poison the server schema via deep copying operations. The vulnerable deep copy allowed attackers to inject properties that modified prototype chains, potentially bypassing schema protections and injecting unauthorized fields, leading to persistent and impactful privilege escalation or data corruption.
Affected Code
update = deepcopy(update);
Proof of Concept
Send an HTTP POST request to create or update a class with the following JSON body:
{
"name": "test",
"__proto__": {"isAdmin": true}
}
Expected behavior before the patch:
- The __proto__ key is deep-copied and merged into internal objects,
- This leads to modification of Object.prototype,
- Causes schema poisoning allowing injection of unauthorized fields or overriding behavior.
After the patch:
- The request is rejected with HTTP 400 and error mentioning '__proto__' as an invalid key,
- The schema remains unmodified, confirmed by querying schema fields.
Example test code excerpt from patch:
POST /1/classes/ProtoTest with body '{"name":"test","__proto__":{"injected":"value"}}' returns 400 error with code INVALID_KEY_NAME.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-14T18:00:40.743Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: b321423
Author: Manuel
Date: 2026-03-14T15:01:04Z
Commit Message
Pull Request
PR: #10200 - fix: Schema poisoning via prototype pollution in deep copy (GHSA-9ccr-fpp6-78qf)
Labels: state:released-alpha
Description:
Issue
Schema poisoning via prototype pollution in deep copy ([GHSA-9ccr-fpp6-78qf](GHSA-9ccr-fpp6-78qf))
Tasks
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
Analysis
Vulnerability Type: Prototype Pollution
Severity: High
Description
This patch fixes a prototype pollution vulnerability where malicious input containing the proto property could poison the server schema via deep copying operations. The vulnerable deep copy allowed attackers to inject properties that modified prototype chains, potentially bypassing schema protections and injecting unauthorized fields, leading to persistent and impactful privilege escalation or data corruption.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-14T18:00:40.743Z