Parse Server is an open-source backend framework that runs on Node.js and provides REST API endpoints, including a batch request endpoint (/batch) that allows clients to send multiple sub-requests in a single HTTP request. The vulnerability CVE-2026-30972 stems from improper control of interaction frequency (CWE-799) due to the rate limiting middleware being applied only at the Express middleware layer. While individual requests are subject to rate limiting, the batch endpoint processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware and thus the rate limiting controls. This architectural design flaw enables an attacker to bundle numerous requests targeting rate-limited endpoints into a single batch request, effectively circumventing the configured rate limits. This can lead to excessive resource consumption, potential denial of service, or abuse of backend services. The vulnerability affects parse-server versions >= 9.0.0 and < 9.5.2-alpha.10, and all versions prior to 8.6.23. The issue was addressed by applying rate limiting controls properly to the batch sub-requests in versions 9.5.2-alpha.10 and 8.6.23. Exploitation requires no authentication or user interaction, and the attack vector is network-based. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and potential impact on availability and resource integrity.

The primary impact of this vulnerability is the ability for attackers to bypass rate limiting controls, which can lead to resource exhaustion on the parse-server backend. This can degrade service availability, cause denial of service conditions, and potentially enable further attacks that rely on overwhelming the backend infrastructure. Organizations relying on parse-server's built-in rate limiting for abuse prevention or API usage control are at risk of having these protections nullified. This can affect cloud services, mobile backends, and web applications using parse-server, potentially leading to service disruptions and increased operational costs due to resource overuse. Since no authentication is required, the attack surface is broad, and attackers can exploit this vulnerability remotely. Although no known exploits are reported in the wild yet, the straightforward bypass mechanism makes it a significant risk if unpatched. The vulnerability does not directly expose sensitive data but undermines service integrity and availability.

The most effective mitigation is to upgrade parse-server to version 9.5.2-alpha.10 or later, or 8.6.23 or later, where the batch request endpoint properly enforces rate limiting on sub-requests. Until upgrades can be applied, organizations should consider implementing external rate limiting or API gateway controls that inspect and limit batch requests as a whole and their sub-requests. Monitoring and alerting on unusual batch request volumes or patterns can help detect exploitation attempts. Additionally, restricting access to the batch endpoint to trusted clients or requiring authentication can reduce exposure. Reviewing and tightening resource quotas and backend service limits can mitigate the impact of potential abuse. Network-level protections such as WAF rules to detect and throttle suspicious batch request payloads may also be beneficial. Finally, educating developers and administrators about this vulnerability and ensuring timely patch management is critical.