Parse Server may crash when uploading file without extension
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | >= 1.0.0, < 5.5.6 | 5.5.6 |
parse-servernpm | >= 6.0.0, < 6.3.1 | 6.3.1 |
Affected products
1- Range: >= 1.0.0, < 5.5.6
Patches
2686a9f282dc2fix: Server crash when uploading file without extension; fixes security vulnerability [GHSA-792q-q67h-w579](https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579) (#8782)
2 files changed · +30 −2
spec/ParseFile.spec.js+28 −0 modified@@ -1366,6 +1366,34 @@ describe('Parse.File testing', () => { ); }); + it('allows file without extension', async () => { + await reconfigureServer({ + fileUpload: { + enableForPublic: true, + fileExtensions: ['^[^hH][^tT][^mM][^lL]?$'], + }, + }); + const headers = { + 'X-Parse-Application-Id': 'test', + 'X-Parse-REST-API-Key': 'rest', + }; + + const values = ['filenamewithoutextension']; + + for (const value of values) { + await expectAsync( + request({ + method: 'POST', + headers: headers, + url: `http://localhost:8378/1/files/${value}`, + body: '<html></html>\n', + }).catch(e => { + throw new Error(e.data.error); + }) + ).toBeResolved(); + } + }); + it('works with array', async () => { await reconfigureServer({ fileUpload: {
src/Routers/FilesRouter.js+2 −2 modified@@ -157,9 +157,9 @@ export class FilesRouter { } else if (contentType && contentType.includes('/')) { extension = contentType.split('/')[1]; } - extension = extension.split(' ').join(''); + extension = extension?.split(' ')?.join(''); - if (!isValidExtension(extension)) { + if (extension && !isValidExtension(extension)) { next( new Parse.Error( Parse.Error.FILE_SAVE_ERROR,
fd8627891955fix: Server crash when uploading file without extension; fixes security vulnerability [GHSA-792q-q67h-w579](https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579) (#8781)
2 files changed · +30 −2
spec/ParseFile.spec.js+28 −0 modified@@ -1364,6 +1364,34 @@ describe('Parse.File testing', () => { ); }); + it('allows file without extension', async () => { + await reconfigureServer({ + fileUpload: { + enableForPublic: true, + fileExtensions: ['^[^hH][^tT][^mM][^lL]?$'], + }, + }); + const headers = { + 'X-Parse-Application-Id': 'test', + 'X-Parse-REST-API-Key': 'rest', + }; + + const values = ['filenamewithoutextension']; + + for (const value of values) { + await expectAsync( + request({ + method: 'POST', + headers: headers, + url: `http://localhost:8378/1/files/${value}`, + body: '<html></html>\n', + }).catch(e => { + throw new Error(e.data.error); + }) + ).toBeResolved(); + } + }); + it('works with array', async () => { await reconfigureServer({ fileUpload: {
src/Routers/FilesRouter.js+2 −2 modified@@ -159,9 +159,9 @@ export class FilesRouter { } else if (contentType && contentType.includes('/')) { extension = contentType.split('/')[1]; } - extension = extension.split(' ').join(''); + extension = extension?.split(' ')?.join(''); - if (!isValidExtension(extension)) { + if (extension && !isValidExtension(extension)) { next( new Parse.Error( Parse.Error.FILE_SAVE_ERROR,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-792q-q67h-w579ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46119ghsaADVISORY
- github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328feghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/5.5.6ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/6.3.1ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.