GHSA-4263-jgmp-7pf4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4263-jgmp-7pf4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4263-jgmp-7pf4/GHSA-4263-jgmp-7pf4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4263-jgmp-7pf4
- Aliases
-
- CVE-2026-32886
- Published
- 2026-03-17T17:58:08Z
- Modified
- 2026-03-17T18:01:27.534906Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Parse Server's Cloud function dispatch crashes server via prototype chain traversal
- Details
-
Impact
Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.
Patches
The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.
Workarounds
There is no known workaround.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-1321" ], "github_reviewed_at": "2026-03-17T17:58:08Z", "nvd_published_at": null, "severity": "HIGH" }- References
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server