Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 7d72d26
Author: Manuel
Date: 2026-03-18T00:07:02Z
Commit Message
fix: Rate limit bypass via HTTP method override and batch method spoofing (#10234)
Pull Request
PR: #10234 - fix: Rate limit bypass via HTTP method override and batch method spoofing
Labels: state:released-alpha
Description:
Issue
Rate limit bypass via HTTP method override and batch method spoofing ([GHSA-vpvj-hfh8-388m](https://github.com/parse-community/parse-server/security/advisories/GHSA-vpvj-hfh8-388m))
Tasks
Analysis
Vulnerability Type: Rate Limit Bypass
Severity: High
Description
This patch fixes a rate limit bypass vulnerability where an attacker could circumvent request rate limiting by using the HTTP method override parameter (_method) or by crafting batch requests with sub-requests using different HTTP methods. By spoofing the method, attackers could bypass rate limits intended to prevent brute-force or denial-of-service attacks. The patch enforces rate limits correctly even when the HTTP method is overridden and applies rate limits on batch sub-requests, mitigating the bypass.
Affected Code
No validation or enforcement of rate limits was applied on overridden HTTP methods or batch sub-requests, allowing attackers to send multiple logically different requests under a method exempt from or differently handled by rate limiting. For example, a POST request with body `{ _method: 'GET', ... }` was treated as a GET but counted differently or ignored by rate limiting.
Proof of Concept
1) Send a valid login request via POST method to the endpoint /1/login and observe success.
2) Immediately send a second request with method POST but with JSON body including `_method: 'GET'` to the same /1/login endpoint.
3) Without the patch, the server treats the second request as a GET and does not apply rate limiting on POST, allowing unlimited login attempts and bypass of rate limits.
Example using curl:
curl -X POST \
-H 'Content-Type: application/json' \
-d '{"username":"testuser","password":"password"}' \
http://localhost:8378/1/login
curl -X POST \
-H 'Content-Type: application/json' \
-d '{"_method":"GET","username":"testuser","password":"password"}' \
http://localhost:8378/1/login
Expect the second request to be rate limited and rejected with an error "Too many requests" after patch; before the patch, it would succeed, allowing brute force beyond the rate limit.
Similarly, sending batch requests with multiple GET login sub-requests within one POST batch could bypass rate limiting on individual sub-requests before this fix.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-18T06:01:19.076Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 7d72d26
Author: Manuel
Date: 2026-03-18T00:07:02Z
Commit Message
Pull Request
PR: #10234 - fix: Rate limit bypass via HTTP method override and batch method spoofing
Labels: state:released-alpha
Description:
Issue
Rate limit bypass via HTTP method override and batch method spoofing ([GHSA-vpvj-hfh8-388m](https://github.com/parse-community/parse-server/security/advisories/GHSA-vpvj-hfh8-388m))
Tasks
Analysis
Vulnerability Type: Rate Limit Bypass
Severity: High
Description
This patch fixes a rate limit bypass vulnerability where an attacker could circumvent request rate limiting by using the HTTP method override parameter (_method) or by crafting batch requests with sub-requests using different HTTP methods. By spoofing the method, attackers could bypass rate limits intended to prevent brute-force or denial-of-service attacks. The patch enforces rate limits correctly even when the HTTP method is overridden and applies rate limits on batch sub-requests, mitigating the bypass.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-18T06:01:19.076Z