CVE-2026-30972: Parse Server has a rate limit bypass via batch request endpoint
Parse Server’s rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit.
Any Parse Server deployment that relies on the built-in rate limiting feature is affected.
References
- github.com/advisories/GHSA-775h-3xrc-c228
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/releases/tag/8.6.23
- github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10
- github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228
- nvd.nist.gov/vuln/detail/CVE-2026-30972
Code Behaviors & Features
Detect and mitigate CVE-2026-30972 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →