Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
- Severity:
- Medium
Description
The PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0-alpha.1, < 9.5.0-alpha.8 < 8.6.8** Patched version(s): **9.5.0-alpha.8 8.6.8**
References
Related Issues
- Parse Server's Session Update endpoint allows overwriting server-generated session fields - CVE-2026-33527
- parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user - CVE-2026-30229
- Parse Server's Cloud function dispatch crashes server via prototype chain traversal - CVE-2026-32886
- Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 09, 2026