parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
Description
Impact
Parse Server's default fileUpload.fileExtensions blocklist is intended to prevent uploading files that browsers render as active content (such as HTML and SVG), which can be used to perform stored cross-site scripting (XSS) attacks against other users. The blocklist could be bypassed by uploading a file whose extension is not an exact match of a blocked extension (for example a non-standard or compound extension) together with a dangerous content type. On storage adapters that persist and serve the uploaded content type (such as S3 and GCS), the file is then served with the attacker-supplied content type, enabling stored XSS against users who open the file URL.
This affects the default configuration, in which authenticated users are allowed to upload files. The default GridFS/filesystem adapter sets the X-Content-Type-Options: nosniff response header, which mitigates browser rendering on that adapter, but the upload restriction itself is still bypassed. This is an incomplete-fix follow-up of GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v.
Patches
The file upload extension validation now also evaluates the request content type against the configured blocklist whenever the filename's extension is not a recognized type. As a result, a dangerous content type can no longer be preserved by uploading a file with a non-standard extension, and such uploads are rejected.
Workarounds
Configure fileUpload.fileExtensions as a strict allowlist of only the file extensions your application needs (for example ["^(png|jpe?g|gif|pdf)$"]) instead of relying on the default blocklist. Additionally, serve uploaded files from a separate domain than the application, so that any executed content is isolated from the application's origin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The file extension blocklist performed an exact match on the filename extension only, allowing non-standard or compound extensions (e.g. `.svg~`, `.html.bak`) to bypass the blocklist while the storage adapter preserved the attacker-supplied dangerous Content-Type."
Attack vector
An authenticated attacker uploads a file whose filename uses a non-standard or compound extension (e.g. `malicious.svg~`, `malicious.html.bak`) together with a dangerous `Content-Type` such as `image/svg+xml` or `text/html`. The default blocklist only checks the filename extension for an exact match, so the file is accepted. On storage adapters that persist and serve the attacker-supplied content type (S3, GCS), the file is served with that content type, causing the browser to render it as active content and enabling stored cross-site scripting (XSS) against any user who opens the file URL.
Affected code
The vulnerability resides in `src/Routers/FilesRouter.js` within the `createHandler` method. The file upload extension blocklist only performed an exact match on the filename extension, so a file named `malicious.svg~` or `malicious.html.bak` would pass the blocklist while the storage adapter preserved the attacker-supplied `Content-Type` (e.g. `image/svg+xml` or `text/html`). The patch modifies the same file to also validate the Content-Type subtype when the filename extension is not recognized by the `mime` library.
What the fix does
The patch imports the `mime` library and uses `mime.getType(filename)` to determine whether the filename extension is a recognized MIME type. If the extension is not recognized (e.g. `svg~`, `html.bak`), the code falls back to validating the Content-Type subtype (e.g. `svg+xml`, `html`) against the blocklist. This ensures that a dangerous content type cannot be preserved by using a non-standard filename extension. The patch also introduces a `rejectExtension` helper to centralize error generation.
Preconditions
- configThe server must use the default `fileUpload.fileExtensions` blocklist (not a strict allowlist).
- authThe attacker must be an authenticated user (default configuration allows authenticated file uploads).
- configThe storage adapter must persist and serve the client-supplied Content-Type (e.g. S3, GCS).
- inputThe attacker must supply a filename with a non-standard or compound extension and a dangerous Content-Type (e.g. `image/svg+xml`, `text/html`).
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.