Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Description

The PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 9.0.0-alpha.1, < 9.5.0-alpha.8

  < 8.6.8**

• Patched version(s): **9.5.0-alpha.8

  8.6.8**

References

• GHSA-hm3f-q6rw-m6wh
• CVE-2026-30848
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
• Parse Server's Session Update endpoint allows overwriting server-generated session fields - CVE-2026-33527
• Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
• parse-server has cloud function validator bypass via prototype chain traversal - CVE-2026-34532

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:

npm

parse-server