Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 286373d
Author: Manuel
Date: 2026-03-15T17:13:30Z
Commit Message
fix: Cloud function dispatch crashes server via prototype chain traversal ([GHSA-4263-jgmp-7pf4](https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4)) (#10210)
Pull Request
PR: #10210 - fix: Cloud function dispatch crashes server via prototype chain traversal (GHSA-4263-jgmp-7pf4)
Labels: state:released-alpha
Description:
Issue
Cloud function dispatch crashes server via prototype chain traversal ([GHSA-4263-jgmp-7pf4](GHSA-4263-jgmp-7pf4))
Tasks
Analysis
Vulnerability Type: Prototype Chain Traversal (Server Crash / Denial of Service)
Severity: High
Description
Before the patch, an attacker could invoke cloud functions with crafted names containing prototype chain traversal segments (e.g., 'proto') enabling them to access internal object properties like constructor functions. This would cause the server to crash during the dispatch process, leading to a denial of service. The patch prevents traversal beyond own properties, blocking such malicious function names and ensuring server stability.
Affected Code
function getStore(category, name, applicationId) {
_triggerStore[applicationId] = _triggerStore[applicationId] || baseStore();
let store = _triggerStore[applicationId][category];
for (const component of path) {
store = store[component];
if (!store) {
return createStore();
}
}
Proof of Concept
POST http://localhost:8378/1/functions/legitimateFunction.__proto__.__proto__.constructor
Headers:
Content-Type: application/json
X-Parse-Application-Id: test
X-Parse-REST-API-Key: rest
Body: {}
Expected behavior before patch: Server crashes or becomes unresponsive.
Expected behavior after patch: HTTP 400 response with error indicating invalid function, server remains stable.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-15T18:00:41.255Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 286373d
Author: Manuel
Date: 2026-03-15T17:13:30Z
Commit Message
Pull Request
PR: #10210 - fix: Cloud function dispatch crashes server via prototype chain traversal (GHSA-4263-jgmp-7pf4)
Labels: state:released-alpha
Description:
Issue
Cloud function dispatch crashes server via prototype chain traversal ([GHSA-4263-jgmp-7pf4](GHSA-4263-jgmp-7pf4))
Tasks
Analysis
Vulnerability Type: Prototype Chain Traversal (Server Crash / Denial of Service)
Severity: High
Description
Before the patch, an attacker could invoke cloud functions with crafted names containing prototype chain traversal segments (e.g., 'proto') enabling them to access internal object properties like constructor functions. This would cause the server to crash during the dispatch process, leading to a denial of service. The patch prevents traversal beyond own properties, blocking such malicious function names and ensuring server stability.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-15T18:00:41.255Z