[Vulnerability] parse-community/parse-server: Rate Limit Bypass

[github-actions]

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: 434ecbe
Author: Manuel
Date: 2026-03-15T20:50:40Z

Commit Message

fix: Rate limit user zone key fallback and batch request bypass (#10214)

Pull Request

PR: #10214 - fix: Rate limit user zone key fallback and batch request bypass
Labels: state:released-alpha

Description:

Issue

Rate limit user zone key fallback and batch request bypass ([GHSA-4jj8-x76w-v7h7](https://github.com/parse-community/parse-server/security/advisories/GHSA-4jj8-x76w-v7h7), [GHSA-jmvh-84q9-vvrc](https://github.com/parse-community/parse-server/security/advisories/GHSA-jmvh-84q9-vvrc))

Analysis

Vulnerability Type: Rate Limit Bypass
Severity: Medium

Description

Before this patch, the rate limiting system in Parse Server did not correctly apply rate limits to batch sub-requests individually, allowing attackers to bypass request count limits by batching multiple requests into a single batch call or abusing user zone key fallback behavior. This patch ensures that each sub-request in batch requests consumes tokens against the applicable rate limits and that user zone rate limiting is correctly enforced per user, preventing bypasses and denial-of-service vectors.

Affected Code

  // Check if batch sub-requests would exceed any configured rate limits.
  // Count how many sub-requests target each rate-limited path and reject
  // the entire batch if any path's count exceeds its requestCount.
  const rateLimits = req.config.rateLimits || [];
  for (const limit of rateLimits) {
    // Skip rate limit if master key is used and includeMasterKey is not set
    if (req.auth?.isMaster && !limit.includeMasterKey) {
      continue;
    }
    // Skip rate limit for internal requests if includeInternalRequests is not set
    if (req.config.ip === '127.0.0.1' && !limit.includeInternalRequests) {
      continue;
    }
    const pathExp = limit.path.regexp || limit.path;
    let matchCount = 0;
    for (const restRequest of req.body.requests) {
      // Check if sub-request method matches the rate limit's requestMethods filter
      if (limit.requestMethods) {
        const method = restRequest.method?.toUpperCase();
        if (Array.isArray(limit.requestMethods)) {
          if (!limit.requestMethods.includes(method)) {
            continue;
          }
        } else {
          const regExp = new RegExp(limit.requestMethods);
          if (!regExp.test(method)) {
            continue;
          }
        }
      }
      const routablePath = makeRoutablePath(restRequest.path);
      if (pathExp.test(routablePath)) {
        matchCount++;
      }
    }
    if (matchCount > limit.requestCount) {
      throw new Parse.Error(
        Parse.Error.CONNECTION_FAILED,
        limit.errorResponseMessage || 'Batch request exceeds rate limit for endpoint'
      );
    }
  }

Proof of Concept

1. Configure a rate limit of 2 requests per 10 seconds on the path `/classes/*`.
2. Make a direct request to save an object on `/classes/MyObject`.
3. Then make a batch request containing a single sub-request to `/classes/MyObject` (this should be allowed, count = 2).
4. Next, make another batch request with a single sub-request to `/classes/MyObject`.

Before the patch, step 4 succeeds because the batch sub-requests were not individually rate limited; after the patch, step 4 is rejected with a 'Too many requests' error, demonstrating the exploit.

Example request causing bypass before patch:

POST /1/batch
{
  "requests": [
    { "method": "POST", "path": "/1/classes/MyObject", "body": { "key": "value" } }
  ]
}

When sending multiple such batch requests exceeding the configured rate limit, the server allows them, enabling a denial-of-service or brute-force attack bypassing the intended protections.

---

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-16T00:00:48.546Z