Parse Server’s PagesRouter static file serving route performed a bounding check using only a string prefix comparison, neglecting to enforce a directory separator boundary. The vulnerability permits unauthenticated attackers to supply path traversal sequences that reference files located outside the configured pagesPath directory. The result is that arbitrary files residing in sibling directories whose names share the same prefix as the pages directory can be read, exposing potentially confidential data. This weakness is classified as a path traversal flaw (CWE-22) and gives attackers read‑only access to files on the server. Based on the description, the attack vector is inferred to be an unauthenticated HTTP request to the PagesRouter endpoint. The exploit details are inferred from the description because the CVE does not provide explicit implementation steps.

The issue affects parse-community Parse Server versions prior to 8.6.8 and 9.5.0‑alpha.8. In particular, release cpes list includes 9.5.0‑alpha1 through alpha7 and earlier 8.x series. Systems running those builds that expose the PagesRouter route publicly are vulnerable.

The vulnerability carries a CVSS score of 6.3 (medium). EPSS is reported as less than 1 %, indicating a very low exploitation probability at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be an unauthenticated HTTP request to the exposed PagesRouter endpoint. An attacker can exploit the flaw by sending a crafted HTTP request to an exposed PagesRouter endpoint without authentication. Since the server trusts the requested path components, the attacker can traverse directories to read files such as configuration, secrets, or logs. The exploit details are inferred from the description because the CVE does not provide explicit implementation steps.