GHSA-q342-9w2p-57fp
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Details
### Impact
The `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom `requestKeywordDenylist` entries configured by the developer are equally by-passable using the same technique.
All Parse Server deployments are affected. The `requestKeywordDenylist` is enabled by default.
### Patches
The fix replaces the recursive object scanner with an iterative stack-based traversal that processes all nested values without prematurely exiting the scan loop. This also eliminates a potential stack overflow on deeply nested payloads.
### Workarounds
Use a Cloud Code `beforeSave` trigger to validate incoming data for prohibited keywords across all classes.
### References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.12
Are you affected?
Enter the version of the package you're using.
Affected packages
9.0.0-alpha.1 Fixed in: 9.5.1-alpha.1 npm install parse-server@9.5.1-alpha.1 References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-30938 [ADVISORY]
- https://github.com/parse-community/parse-server [PACKAGE]
- https://github.com/parse-community/parse-server/releases/tag/8.6.12 [WEB]
- https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1 [WEB]