Impact
Parse Server, an open‑source backend for Node.js applications, had a flaw where the default blocklist of disallowed file extensions could be bypassed by uploading a file with a non‑standard or compound extension that also carries a dangerous content type. This allows an attacker to store actively malicious scripts on storage adapters such as Amazon S3 or Google Cloud Storage. The stored scripts can then be served to web users, resulting in a classic stored cross‑site scripting (XSS) attack. The vulnerability arises from failing to validate file extensions against the configured blocklist, leading to improper file type handling (CWE‑434).
Affected Systems
The affected product is Parse Server from parse‑community. All releases prior to 9.9.1‑alpha.11 and 8.6.81 are vulnerable, regardless of the deployment environment, since the issue resides in the open‑source code executed on Node.js infrastructure.
Risk and Exploitability
The CVSS score of 2.1 indicates a low severity risk, reflecting that the vulnerability requires an attacker to already have a file upload vector to the Parse Server instance. No exploitation probability is reported, and the issue is not listed in the CISA KEV catalog, suggesting limited active exploitation. The likely attack vector is that an attacker with access to the file upload endpoint can supply a compound extension to bypass the blocklist and embed JavaScript, leading to stored XSS against downstream consumers of the file stream.
OpenCVE Enrichment
Github GHSA