Parser Server's streaming file download bypasses afterFind file trigger authorization

Description

File downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.71

  >= 9.0.0, < 9.7.1-alpha.1**

• Patched version(s): **8.6.71

  9.7.1-alpha.1**

References

• GHSA-hpm8-9qx6-jvwv
• CVE-2026-34784
• CWE-285
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization - CVE-2026-30850
• parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction - CVE-2026-30228
• Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
• Parse Server: File upload Content-Type override via extension mismatch - CVE-2026-35200

You might also like:

Exploiting Server Version Disclosure

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

parse-server