Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
GHSA-q342-9w2p-57fp · BIT-parse-2026-30938 · CVE-2026-30938
Published · Modified
Description
Impact
The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique.
All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default.
Patches
The fix replaces the recursive object scanner with an iterative stack-based traversal that processes all nested values without prematurely exiting the scan loop. This also eliminates a potential stack overflow on deeply nested payloads.
Workarounds
Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.12
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-30938
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.12
- WEB https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1
Ready to move
Start Securing
Free, no credit card | First findings in minutes