GHSA-vpj2-qq7w-5qq6

Source

https://github.com/advisories/GHSA-vpj2-qq7w-5qq6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vpj2-qq7w-5qq6/GHSA-vpj2-qq7w-5qq6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vpj2-qq7w-5qq6

Aliases

CVE-2026-34532

Published

2026-03-31T23:48:38Z

Modified

2026-04-01T00:06:52.733008Z

Severity

9.1 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

parse-server has cloud function validator bypass via prototype chain traversal

Details

Impact

An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.

This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic.

Patches

The trigger store traversal now verifies that each intermediate node is a legitimate store object before continuing traversal. If the traversal encounters a non-store value such as a function handler, it stops and returns an empty store, preventing prototype chain escape.

Workarounds

Use arrow functions instead of the function keyword for Cloud Function handlers. Arrow functions do not have a prototype property and are not affected by this vulnerability.

Resources

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6
Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10342
Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10343

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-03-31T15:16:20Z",
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-03-31T23:48:38Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.7.0-alpha.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vpj2-qq7w-5qq6/GHSA-vpj2-qq7w-5qq6.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.67

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vpj2-qq7w-5qq6/GHSA-vpj2-qq7w-5qq6.json"