The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique.
All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default.
The fix replaces the recursive object scanner with an iterative stack-based traversal that processes all nested values without prematurely exiting the scan loop. This also eliminates a potential stack overflow on deeply nested payloads.
Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.
| Score | Percentile |
|---|---|
| 0.06% | 20.11% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-q342-9w2p-57fp ↗ |
| CVE | CVE-2026-30938 ↗ |
| CWE id | Name |
|---|---|
| CWE-693 | Protection Mechanism Failure |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | parse-server | < 8.6.12 | 8.6.12 | — |
| npm | parse-server | >= 9.0.0-alpha.1, < 9.5.1-alpha.1 | 9.5.1-alpha.1 | — |