FKIE_CVE-2026-32886
Vulnerability from fkie_nvd - Published: 2026-03-18 22:16 - Updated: 2026-03-19 17:21
Severity ?
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| parseplatform | parse-server | * | |
| parseplatform | parse-server | * | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 | |
| parseplatform | parse-server | 9.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C700443A-5992-4B6E-B0E0-AE0145AAAA60",
"versionEndExcluding": "8.6.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A",
"versionEndExcluding": "9.6.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*",
"matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*",
"matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*",
"matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*",
"matchCriteriaId": "B84C28F8-AADE-41BB-A0EF-B701AB57DC3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*",
"matchCriteriaId": "7567BB81-7837-4265-B792-6A9B73CECF93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha14:*:*:*:node.js:*:*",
"matchCriteriaId": "0035C6F1-21B9-42D1-BE29-690905F3558C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha15:*:*:*:node.js:*:*",
"matchCriteriaId": "623FB30A-0693-4449-80FA-16D36B1BE66C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha16:*:*:*:node.js:*:*",
"matchCriteriaId": "9B420167-CD3E-45A7-AD9A-0F83AEC634BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha17:*:*:*:node.js:*:*",
"matchCriteriaId": "030A8626-DBBD-4BF2-B362-79B44FB1204D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha18:*:*:*:node.js:*:*",
"matchCriteriaId": "D38CFCC3-2AA9-4C8E-9064-FE97E6E8C45C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha19:*:*:*:node.js:*:*",
"matchCriteriaId": "65BB78F2-3A1A-4CD1-B8A8-4AB043B5CA50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*",
"matchCriteriaId": "EDC98AF7-8620-4A25-9BE5-623672599677",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha20:*:*:*:node.js:*:*",
"matchCriteriaId": "23E28E0F-9379-4628-B9DC-8C94A45902CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha21:*:*:*:node.js:*:*",
"matchCriteriaId": "6631BE51-74FB-40C0-9E91-0EDF2DCADD7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha22:*:*:*:node.js:*:*",
"matchCriteriaId": "8B0E4254-14A3-4EB6-9E98-CF45EB08B17F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha23:*:*:*:node.js:*:*",
"matchCriteriaId": "0FF63FDE-75F5-44B6-A958-CF653D84D3B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*",
"matchCriteriaId": "DF340605-8CC8-4543-9F5D-E8602D258CED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha4:*:*:*:node.js:*:*",
"matchCriteriaId": "A052DFCA-EDCC-43D7-82C7-E5311F6F7687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha5:*:*:*:node.js:*:*",
"matchCriteriaId": "12B11714-B961-4330-B241-FC5AF94FDBE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha6:*:*:*:node.js:*:*",
"matchCriteriaId": "37A7C42B-4986-4BB6-BB27-0324A9AA1CFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha7:*:*:*:node.js:*:*",
"matchCriteriaId": "C793834B-64B4-4DE9-BD7D-79B52C30C34E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha8:*:*:*:node.js:*:*",
"matchCriteriaId": "7AD455C8-88BE-4A0A-B33D-3A7811FFB753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha9:*:*:*:node.js:*:*",
"matchCriteriaId": "26C475A2-997C-4C3A-8CB6-04AB3534BBC3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround."
},
{
"lang": "es",
"value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 9.6.0-alpha.24 y 8.6.47, clientes remotos pueden bloquear el proceso de Parse Server al llamar a un endpoint de funci\u00f3n en la nube con un nombre de funci\u00f3n manipulado que atraviesa la cadena de prototipos de JavaScript de un gestor de funci\u00f3n en la nube registrado, causando un desbordamiento de pila. La correcci\u00f3n en las versiones 9.6.0-alpha.24 y 8.6.47 restringe las b\u00fasquedas de propiedades durante la resoluci\u00f3n de nombres de funciones en la nube solo a las propiedades propias, evitando el recorrido de la cadena de prototipos desde los gestores de funciones almacenados. No existe una soluci\u00f3n alternativa conocida."
}
],
"id": "CVE-2026-32886",
"lastModified": "2026-03-19T17:21:45.437",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-18T22:16:25.663",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/parse-community/parse-server/pull/10210"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/parse-community/parse-server/pull/10211"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…