Invalid file request can crashe parse-server
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as single instance without redundancy, the availability impact may be high. This issue has been addressed in versions 4.10.12 and 5.2.3. Users are advised to upgrade. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | < 4.10.12 | 4.10.12 |
parse-servernpm | >= 5.0.0, < 5.2.3 | 5.2.3 |
Affected products
1- Range: < 4.10.12
Patches
15be375dec2fafix: invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) (#8060)
2 files changed · +47 −3
spec/ParseFile.spec.js+38 −0 modified@@ -654,6 +654,44 @@ describe('Parse.File testing', () => { }); }); + describe('getting files', () => { + it('does not crash on file request with invalid app ID', async () => { + const res1 = await request({ + url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt', + }).catch(e => e); + expect(res1.status).toBe(403); + expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' }); + // Ensure server did not crash + const res2 = await request({ url: 'http://localhost:8378/1/health' }); + expect(res2.status).toEqual(200); + expect(res2.data).toEqual({ status: 'ok' }); + }); + + it('does not crash on file request with invalid path', async () => { + const res1 = await request({ + url: 'http://localhost:8378/1/files/invalid-id//invalid-path/%20/invalid-file.txt', + }).catch(e => e); + expect(res1.status).toBe(403); + expect(res1.data).toEqual({ error: 'unauthorized' }); + // Ensure server did not crash + const res2 = await request({ url: 'http://localhost:8378/1/health' }); + expect(res2.status).toEqual(200); + expect(res2.data).toEqual({ status: 'ok' }); + }); + + it('does not crash on file metadata request with invalid app ID', async () => { + const res1 = await request({ + url: `http://localhost:8378/1/files/invalid-id/metadata/invalid-file.txt`, + }); + expect(res1.status).toBe(200); + expect(res1.data).toEqual({}); + // Ensure server did not crash + const res2 = await request({ url: 'http://localhost:8378/1/health' }); + expect(res2.status).toEqual(200); + expect(res2.data).toEqual({ status: 'ok' }); + }); + }); + xdescribe('Gridstore Range tests', () => { it('supports range requests', done => { const headers = {
src/Routers/FilesRouter.js+9 −3 modified@@ -66,6 +66,12 @@ export class FilesRouter { getHandler(req, res) { const config = Config.get(req.params.appId); + if (!config) { + res.status(403); + const err = new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.'); + res.json({ code: err.code, error: err.message }); + return; + } const filesController = config.filesController; const filename = req.params.filename; const contentType = mime.getType(filename); @@ -250,10 +256,10 @@ export class FilesRouter { } async metadataHandler(req, res) { - const config = Config.get(req.params.appId); - const { filesController } = config; - const { filename } = req.params; try { + const config = Config.get(req.params.appId); + const { filesController } = config; + const { filename } = req.params; const data = await filesController.getMetadata(filename); res.status(200); res.json(data);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-xw6g-jjvf-wwf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31089ghsaADVISORY
- github.com/parse-community/parse-server/commit/5be375dec2fa35425c1003ae81c55995ac72af92ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.