{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30972", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.815Z", "datePublished": "2026-03-10T20:48:47.349Z", "dateUpdated": "2026-03-11T16:00:44.344Z"}, "containers": {"cna": {"title": "Parse Server has a rate limit bypass via batch request endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-799", "lang": "en", "description": "CWE-799: Improper Control of Interaction Frequency", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.23", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23"}, {"name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0 < 9.5.2-alpha.10", "status": "affected"}, {"version": "< 8.6.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:48:47.349Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23."}], "source": {"advisory": "GHSA-775h-3xrc-c228", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:53:44.590413Z", "id": "CVE-2026-30972", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:00:44.344Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Parse Server has a rate limit bypass via batch request endpoint", "source": {"advisory": "GHSA-775h-3xrc-c228", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"status": "affected", "version": ">= 9.0.0 < 9.5.2-alpha.10"}, {"status": "affected", "version": "< 8.6.23"}]}], "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228", "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23", "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.23", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10", "name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-799", "description": "CWE-799: Improper Control of Interaction Frequency"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:48:47.349Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:53:44.590413Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T15:53:45.812Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-30972", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:48:47.349Z", "dateReserved": "2026-03-07T17:53:48.815Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:48:47.349Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CAF60FF9-05C1-4C9E-BDD4-53CA8C27526D", "versionEndExcluding": "8.6.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E66572ED-597B-4D8E-A636-733D463A4E4D", "versionEndExcluding": "9.5.2", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "E0D611B9-CD4F-418B-8FBD-CFA1BCA9E817", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "6521B8A9-6116-4CAE-9B5E-F22C204B1F0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "601B2CF1-D29A-42CC-8405-185C1A8E1EB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "BC9F2B9D-026F-454B-B565-05AA441FA54F", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "FDDB20F1-F6A7-4B1E-B075-CC250613D826", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "CA14D0B7-B952-4C4E-B271-3EBB51C03E9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "19B7C5A9-B59A-4A47-B4F0-13C7C796B496", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "0E619B8B-BC91-4F71-B84D-52E563AB8E03", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "6C9DB980-4201-43D3-B019-2A6B325B896E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de 9.5.2-alpha.10 y 8.6.23, el middleware de limitaci\u00f3n de tasa de Parse Server se aplica en la capa de middleware de Express, pero el endpoint de solicitudes por lotes (/batch) procesa sub-solicitudes internamente enrut\u00e1ndolas directamente a trav\u00e9s del router Promise, eludiendo el middleware de Express, incluida la limitaci\u00f3n de tasa. Un atacante puede agrupar m\u00faltiples solicitudes dirigidas a un endpoint con limitaci\u00f3n de tasa en una \u00fanica solicitud por lotes para eludir el l\u00edmite de tasa configurado. Cualquier despliegue de Parse Server que dependa de la funci\u00f3n de limitaci\u00f3n de tasa incorporada se ve afectado. Esta vulnerabilidad est\u00e1 corregida en 9.5.2-alpha.10 y 8.6.23."}], "id": "CVE-2026-30972", "lastModified": "2026-03-11T18:42:38.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:49.517", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-799"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.5.2-alpha.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.23)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-16T09:26:56.406500+00:00", "value": {"mitigation_remediation": ["Upgrade Parse Server to version 9.5.2\u2011alpha.10 or 8.6.23, where the rate limiting is applied to batch requests.", "If an upgrade cannot be performed immediately, temporarily disable the /batch endpoint or replace it with a custom implementation that enforces rate limits on each sub\u2011request.", "Monitor for unusually large batch payloads or sudden increases in request volume and apply network or API gateway throttling or blocking rules as needed."], "summary": {"action": "Patch Now", "impact": "Rate Limit Bypass leading to resource exhaustion and potential denial of service"}, "threat_synthesis": {"affected_systems": "All unpatched deployments of Parse Server older than 9.5.2\u2011alpha.10 and 8.6.23, including every alpha release from 9.5.2\u2011alpha.1 through alpha.9, are affected. The issue applies to every instance of the open source Parse Server that runs on Node.js and uses the built\u2011in rate limiting feature.", "description_and_impact": "Parse Server\u2019s rate limiting middleware is applied only at the Express middleware layer, but the /batch endpoint processes sub\u2011requests directly through the Promise router, bypassing that layer. An attacker can therefore bundle multiple requests that would normally be rate\u2011limited into a single batch request, circumventing the configured limits. This improper restriction of resources flaw can cause denial of service by exhausting CPU, memory or network bandwidth. The vulnerability does not provide direct code execution or data exposure.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity. An EPSS of less than 1% signals a low but non\u2011zero likelihood of exploitation in the near term, and the vulnerability is not listed in the CISA known exploited vulnerabilities catalog, meaning no active publicly known exploits have been reported. The flaw can be exploited by any client that has permission to submit batch requests, allowing an attacker to flood the server with a high volume of batched requests and potentially bring the service down. The risk is amplified in high\u2011traffic or publicly exposed environments."}}}}, "created": "2026-03-11T11:42:13.199340+00:00", "updated": "2026-04-16T09:30:06.052243+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}