Skip to content

[Vulnerability] parse-community/parse-server: Prototype Pollution #162

Description

@github-actions

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: b321423
Author: Manuel
Date: 2026-03-14T15:01:04Z

Commit Message

fix: Schema poisoning via prototype pollution in deep copy ([GHSA-9ccr-fpp6-78qf](https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf)) (#10200)

Pull Request

PR: #10200 - fix: Schema poisoning via prototype pollution in deep copy (GHSA-9ccr-fpp6-78qf)
Labels: state:released-alpha

Description:

Issue

Schema poisoning via prototype pollution in deep copy ([GHSA-9ccr-fpp6-78qf](GHSA-9ccr-fpp6-78qf))

Tasks

  • Add tests
  • Add changes
  • Add entry to changelog

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

Summary by CodeRabbit

  • Chores
    • Removed external deep-copy dependency and migrated to native JavaScript object cloning functionality, improving performance and red...

Analysis

Vulnerability Type: Prototype Pollution
Severity: High

Description

This patch fixes a prototype pollution vulnerability where malicious input containing the proto property could poison the server schema via deep copying operations. The vulnerable deep copy allowed attackers to inject properties that modified prototype chains, potentially bypassing schema protections and injecting unauthorized fields, leading to persistent and impactful privilege escalation or data corruption.

Affected Code

update = deepcopy(update);

Proof of Concept

Send an HTTP POST request to create or update a class with the following JSON body:
{
  "name": "test",
  "__proto__": {"isAdmin": true}
}

Expected behavior before the patch:
- The __proto__ key is deep-copied and merged into internal objects,
- This leads to modification of Object.prototype,
- Causes schema poisoning allowing injection of unauthorized fields or overriding behavior.

After the patch:
- The request is rejected with HTTP 400 and error mentioning '__proto__' as an invalid key,
- The schema remains unmodified, confirmed by querying schema fields.

Example test code excerpt from patch:
POST /1/classes/ProtoTest with body '{"name":"test","__proto__":{"injected":"value"}}' returns 400 error with code INVALID_KEY_NAME.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-14T18:00:40.743Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions