parse-community · coratgerl · Nov 23, 2025 · Nov 23, 2025 · Nov 23, 2025 · Nov 23, 2025
diff --git a/9.0.0.md b/9.0.0.md
@@ -0,0 +1,56 @@
+# Parse Server 9 Migration Guide <!-- omit in toc -->
+
+This document only highlights specific changes that require a longer explanation. For a full list of changes in Parse Server 9 please refer to the [changelog](https://github.com/parse-community/parse-server/blob/alpha/CHANGELOG.md).
+
+---
+- [Route Path Syntax and Rate Limiting](#route-path-syntax-and-rate-limiting)
+---
+
+## Route Path Syntax and Rate Limiting
+Parse Server 9 standardizes the route pattern syntax across cloud routes and rate-limiting to use the new **path-to-regexp v8** style. This update introduces validation and a clear deprecation error for the old wildcard route syntax.
+
+### Key Changes
+- **Standardization**: All route paths now use the path-to-regexp v8 syntax, which provides better consistency and security.
+- **Validation**: Added validation to ensure route paths conform to the new syntax.
+- **Deprecation**: Old wildcard route syntax is deprecated and will trigger a clear error message.
+
+### Migration Steps
+
+#### Path Syntax Examples
+
+Update your rate limit configurations to use the new path-to-regexp v8 syntax:
+
+| Old Syntax (deprecated) | New Syntax (v8) |
+|------------------------|-----------------|
+| `/functions/*` | `/functions/*path` |
+| `/classes/*` | `/classes/*path` |
+| `/*` | `/*path` |
+| `*` | `*path` |
+
+**Before:**
+```javascript
+rateLimit: {
+  requestPath: '/functions/*',
+  requestTimeWindow: 10000,
+  requestCount: 100
+}
+```
+
+**After:**
+```javascript
+rateLimit: {
+  requestPath: '/functions/*path',
+  requestTimeWindow: 10000,
+  requestCount: 100
+}
+```
+
+- Review your custom cloud routes and ensure they use the new path-to-regexp v8 syntax.
+- Update any rate-limiting configurations to use the new route path format.
+- Test your application to ensure all routes work as expected with the new syntax.
+
+> [!Note]
+> Consult the [path-to-regexp v8 docs](https://github.com/pillarjs/path-to-regexp) and the [Express 5 migration guide](https://expressjs.com/en/guide/migrating-5.html#path-syntax) for more details on the new path syntax.
+
+### Related Pull Request
+- [#9942](https://github.com/parse-community/parse-server/pull/9942)
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -48,7 +48,7 @@
     "mustache": "4.2.0",
     "otpauth": "9.4.0",
     "parse": "7.0.1",
-    "path-to-regexp": "6.3.0",
+    "path-to-regexp": "8.3.0",
     "pg-monitor": "3.0.0",
     "pg-promise": "12.2.0",
     "pluralize": "8.0.0",

diff --git a/spec/RateLimit.spec.js b/spec/RateLimit.spec.js
@@ -5,7 +5,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -26,7 +26,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -45,7 +45,7 @@ describe('rate limit', () => {
     Parse.Cloud.define('test', () => 'Abc');
     await reconfigureServer({
       rateLimit: {
-        requestPath: '*',
+        requestPath: '/*path',
         requestTimeWindow: 10000,
         requestCount: 1,
         errorResponseMessage: 'Too many requests',
@@ -83,7 +83,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -102,7 +102,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           includeMasterKey: true,
@@ -122,7 +122,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/classes/*',
+          requestPath: '/classes/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -141,7 +141,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/classes/*',
+          requestPath: '/classes/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           requestMethods: 'POST',
@@ -240,7 +240,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/classes/Test/*',
+          requestPath: '/classes/Test/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           requestMethods: 'DELETE',
@@ -294,7 +294,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 100,
           errorResponseMessage: 'Too many requests',
@@ -320,7 +320,7 @@ describe('rate limit', () => {
     await reconfigureServer({
       rateLimit: [
         {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -340,7 +340,7 @@ describe('rate limit', () => {
     it('can use global zone', async () => {
       await reconfigureServer({
         rateLimit: {
-          requestPath: '*',
+          requestPath: '*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -373,7 +373,7 @@ describe('rate limit', () => {
       });
       fakeRes.json = jasmine.createSpy('json').and.callFake(resolvingPromise);
       middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
-        throw 'Should not call next';
+        throw new Error('Should not call next');
       });
       await promise;
       expect(fakeRes.status).toHaveBeenCalledWith(429);
@@ -386,7 +386,7 @@ describe('rate limit', () => {
     it('can use session zone', async () => {
       await reconfigureServer({
         rateLimit: {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -407,7 +407,7 @@ describe('rate limit', () => {
     it('can use user zone', async () => {
       await reconfigureServer({
         rateLimit: {
-          requestPath: '/functions/*',
+          requestPath: '/functions/*path',
           requestTimeWindow: 10000,
           requestCount: 1,
           errorResponseMessage: 'Too many requests',
@@ -494,7 +494,7 @@ describe('rate limit', () => {
       await reconfigureServer({
         rateLimit: [
           {
-            requestPath: '/classes/*',
+            requestPath: '/classes/*path',
             requestTimeWindow: 10000,
             requestCount: 1,
             errorResponseMessage: 'Too many requests',

diff --git a/src/Config.js b/src/Config.js
@@ -3,6 +3,7 @@
 // mount is the URL for the root of the API; includes http, domain, etc.
 
 import { isBoolean, isString } from 'lodash';
+import { pathToRegexp } from 'path-to-regexp';
 import net from 'net';
 import AppCache from './cache';
 import DatabaseController from './Controllers/DatabaseController';
@@ -687,6 +688,14 @@ export class Config {
       if (typeof option.requestPath !== 'string') {
         throw `rateLimit.requestPath must be a string`;
       }
+
+      // Validate that the path is valid path-to-regexp syntax
+      try {
+        pathToRegexp(option.requestPath);
+      } catch (error) {
+        throw `rateLimit.requestPath "${option.requestPath}" is not valid: ${error.message}`;
+      }
+
       if (option.requestTimeWindow == null) {
         throw `rateLimit.requestTimeWindow must be defined`;
       }

diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -678,7 +678,7 @@ module.exports.RateLimitOptions = {
   requestPath: {
     env: 'PARSE_SERVER_RATE_LIMIT_REQUEST_PATH',
     help:
-      'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html',
+      'The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following <a href="https://github.com/pillarjs/path-to-regexp">path-to-regexp v8</a> syntax.',
     required: true,
   },
   requestTimeWindow: {

diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -350,7 +350,7 @@ export interface ParseServerOptions {
 }
 
 export interface RateLimitOptions {
-  /* The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html */
+  /* The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following <a href="https://github.com/pillarjs/path-to-regexp">path-to-regexp v8</a> syntax. */
   requestPath: string;
   /* The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied. */
   requestTimeWindow: ?number;

diff --git a/src/cloud-code/Parse.Cloud.js b/src/cloud-code/Parse.Cloud.js
@@ -82,12 +82,12 @@ const getRoute = parseClass => {
       '@Config' : 'config',
     }[parseClass] || 'classes';
   if (parseClass === '@File') {
-    return `/${route}/:id?(.*)`;
+    return `/${route}{/*id}`;
   }
   if (parseClass === '@Config') {
     return `/${route}`;
   }
-  return `/${route}/${parseClass}/:id?(.*)`;
+  return `/${route}/${parseClass}{/*id}`;
 };
 /** @namespace
  * @name Parse

diff --git a/src/middlewares.js b/src/middlewares.js
@@ -322,7 +322,7 @@ const handleRateLimit = async (req, res, next) => {
   try {
     await Promise.all(
       rateLimits.map(async limit => {
-        const pathExp = new RegExp(limit.path);
+        const pathExp = limit.path.regexp || limit.path;
         if (pathExp.test(req.url)) {
           await limit.handler(req, res, err => {
             if (err) {
@@ -560,12 +560,8 @@ export const addRateLimit = (route, config, cloud) => {
       },
     });
   }
-  let transformPath = route.requestPath.split('/*').join('/(.*)');
-  if (transformPath === '*') {
-    transformPath = '(.*)';
-  }
   config.rateLimits.push({
-    path: pathToRegexp(transformPath),
+    path: pathToRegexp(route.requestPath),
     handler: rateLimit({
       windowMs: route.requestTimeWindow,
       max: route.requestCount,