Arbitrary file upload in Parse Server - #VU135973

 

Arbitrary file upload in Parse Server - #VU135973

Published: June 30, 2026


Vulnerability identifier: #VU135973
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in other users' browsers.

The vulnerability exists due to unrestricted upload of file with dangerous type in the file upload validation and storage handling when uploading a file with an unrecognized extension and a malformed Content-Type. A remote user can upload a crafted file whose body begins with HTML markup to execute arbitrary script in other users' browsers.

Exploitation requires permission to upload files and affects storage adapters that persist and serve the uploaded Content-Type, while the default GridFS storage adapter is not affected.


Remediation

Install security update from vendor's website.

Sources