Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 63c37c4
Author: Manuel
Date: 2026-03-29T15:08:36Z
Commit Message
fix: Batch login sub-request rate limit uses IP-based keying (#10349)
Pull Request
PR: #10349 - fix: Batch login sub-request rate limit uses IP-based keying
Labels: state:released-alpha
Description:
Issue
Batch login sub-request rate limit uses IP-based keying
Tasks
Analysis
Vulnerability Type: Rate Limit Bypass
Severity: High
Description
The batch login sub-request rate limiting previously keyed rate limits by session token, allowing attackers to bypass login attempt limits by rotating session tokens in batch requests. This patch changes the rate limiting to be IP-based for batch login sub-requests, preventing attackers from circumventing rate limits by changing session tokens in batch login attempts.
Affected Code
const fakeReq = {
ip: req.ip || req.config?.ip || '127.0.0.1',
method: (restRequest.method || 'GET').toUpperCase(),
_batchOriginalMethod: 'POST',
config: req.config,
auth: req.auth,
info: req.info,
};
Proof of Concept
1. Create two users and obtain their session tokens: TOKEN1, TOKEN2.
2. Submit a batch request to /batch with a sub-request POST /login with TOKEN1 in 'X-Parse-Session-Token' header; this request is allowed once.
3. Immediately submit a second batch request to /batch with a login sub-request again, but with TOKEN2 in the header.
4. Before the patch, the second login attempt is counted separately, bypassing the rate limit, allowing unlimited login attempts via rotating session tokens in batch requests.
5. After the patch, the rate limiting is based on IP, causing the second attempt to be rejected with 'Too many requests' error.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-29T18:00:39.380Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 63c37c4
Author: Manuel
Date: 2026-03-29T15:08:36Z
Commit Message
Pull Request
PR: #10349 - fix: Batch login sub-request rate limit uses IP-based keying
Labels: state:released-alpha
Description:
Issue
Batch login sub-request rate limit uses IP-based keying
Tasks
Analysis
Vulnerability Type: Rate Limit Bypass
Severity: High
Description
The batch login sub-request rate limiting previously keyed rate limits by session token, allowing attackers to bypass login attempt limits by rotating session tokens in batch requests. This patch changes the rate limiting to be IP-based for batch login sub-requests, preventing attackers from circumventing rate limits by changing session tokens in batch login attempts.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-29T18:00:39.380Z