parse-server has cloud function validator bypass via prototype chain traversal

Impact An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal...

CVE-2026-34532

Parse Server vulnerability CVE-2026-34532: An attacker could bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler uses the function keyword and its validator is a plain object or arrow function, the tri...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.6.0-alpha.24 and 8.6.47. These vulnerabilities stemmed from the ability of cloud function...

BIT-PARSE-2026-30939 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server...

CVE-2026-30939 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The...

CVE-2026-30939

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The...

EUVD-2026-10550

Parse Server has Denial of Service DoS and Cloud Function Dispatch Bypass via Prototype Chain Resolution...

GHSA-5J86-7R7M-P8H6 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Impact An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud...

PT-2026-24188

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.13 Parse Server versions prior to 9.5.1-alpha.2 Description An unauthenticated attacker can cause a denial of service by crashing the Parse Server process. This occurs by calling a Cloud Function endpoint wit...

@appium/base-driver (>=10.0.0 <=10.1.1), @breautek/storm (>=9.0.0 <=9.2.4) +77 more potentially affected by CVE-2025-13466 via body-parser (=2.2.0)

body-parser NPM version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on body-parser and may be impacted: - @appium/base-driver =10.0.0, =9.0.0, =3.8.8, =1.114.0, =11.8.0, =3.4.0, =11.0.19, =0.1.0, =8.13.0, =4.0.1, =1.0.0-beta.2, =0.0.1-beta.0,...

EUVD-2025-36783

Malicious code in google-cloud-functions-framework npm...

EUVD-2020-4212

Malware in sbrugna...

CVE-2020-11872

The Cloud Functions subsystem in OpenTrace 1.0 might allow fabrication attacks by making billions of TempID requests before an AES-256-GCM key rotation occurs...

Duping Cloud Functions: An emerging serverless attack vector

Summary and background Google Cloud Platform GCP Cloud Functions are event-triggered, serverless functions that automatically scale and execute code in response to specific events like Hypertext Transfer Protocol HTTP requests or data changes. Tenable Research published an article discussing a...

Malicious code in cloud-functions-schedule-instance (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9d10678b76e1cf601f3ff31de7642b60bd56df7c7899eb2c23808c2ef0ebf778 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform

Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. Tenable has given the vulnerability the name...

GATOR - GCP Attack Toolkit For Offensive Research, A Tool Designed To Aid In Research And Exploiting Google Cloud Environments

GATOR - GCP Attack Toolkit for Offensive Research , a tool designed to aid in research and exploiting Google Cloud Environments. It offers a comprehensive range of modules tailored to support users in various attack stages, spanning from Reconnaissance to Impact. Modules Resource Category |...

MAL-2023-1169 Malicious code in ee-cloud-functions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 81e2426558f083dcdd4aade89e23d39e99ff609b2ec96c53490a9cd4927f98d6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in ee-cloud-functions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 81e2426558f083dcdd4aade89e23d39e99ff609b2ec96c53490a9cd4927f98d6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in cloud-functions-apply-gce-sizing-recommendations (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dff71f573ab0c75770c1eb1201e5e39139353eacb5afd6db5270d684e0bee416 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...