Parse Server's Cloud function dispatch crashes server via prototype chain traversal

GHSA-4263-jgmp-7pf4 · BIT-parse-2026-32886 · CVE-2026-32886

Published Mar 17, 2026 · Modified Mar 20, 2026

Description

Impact

Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.

Patches

The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.

Workarounds

There is no known workaround.

References

WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32886
WEB https://github.com/parse-community/parse-server/pull/10210
WEB https://github.com/parse-community/parse-server/pull/10211
PACKAGE https://github.com/parse-community/parse-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes