Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
Published: 2026-04-06
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: MIME Type Manipulation
Action: Patch
AI Analysis

Impact

Parse Server allows uploads of files whose filename extension passes the server’s whitelist but whose Content‑Type header differs. The Content‑Type supplied by the client is forwarded to the storage adapter without validation. Storage adapters that honor the provided MIME type, like S3 or GCS, serve the file with the mismatched type. The default GridFS adapter derives the type when the file is retrieved, so it is not affected. Based on the description, it is inferred that an attacker could upload a file that looks like a harmless text file but is served as HTML or JavaScript, potentially enabling client‑side execution or other content‑type based attacks. The flaw does not provide server‑side code execution.

Affected Systems

Parse Server from the parse‑community project is affected. Versions older than 8.6.73 and older than 9.7.1‑alpha.4 are vulnerable. The default GridFS adapter is safe because it determines the MIME type on download, but adapters that store and serve the client‑supplied MIME type, such as Amazon S3 or Google Cloud Storage, are at risk.

Risk and Exploitability

CVSS score of 2.1 indicates a low severity impact. EPSS score under 1% suggests low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to upload a file to the Parse Server instance and use a storage adapter that echoes the uploaded Content‑Type header. Under those conditions, the attacker can cause the file to be served with a different MIME type, which might provide a vector for cross‑site scripting or other content‑type confusion attacks.

Generated by OpenCVE AI on April 7, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Parse Server 8.6.73 or 9.7.1‑alpha.4 or newer.
  • If an upgrade cannot be performed immediately, configure any S3 or GCS adapters to override or ignore the client‑supplied Content‑Type header.
  • Verify that your deployment uses the default GridFS adapter or that custom adapters do not serve the client‑supplied MIME type.
  • Monitor logs for anomalous file uploads and ensure served files match expected MIME types.

Generated by OpenCVE AI on April 7, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vr5f-2r24-w5hc Parse Server: File upload Content-Type override via extension mismatch
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.1:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.1:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.7.1:alpha3:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
Title Parse Server has a file upload Content-Type override via extension mismatch
Weaknesses CWE-436
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:02:50.601Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35200

cve-icon Vulnrichment

Updated: 2026-04-07T14:02:46.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T20:16:27.720

Modified: 2026-04-07T18:01:08.000

Link: CVE-2026-35200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:33Z

Weaknesses