CVE-2026-30848
EPSS 0.02%Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Description
### Impact The `PagesRouter` static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured `pagesPath` directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. `pages-secret` starts with `pages`). This affects any Parse Server deployment with the `pages` feature enabled (`pages.enableRouter: true`). Exploitation requires a sibling directory of `pagesPath` whose name begins with the same string as the pages directory name. ### Patches The fix enforces a path separator boundary in the check, ensuring resolved paths must be strictly inside the `pagesPath` directory. ### Workarounds Ensure the `pagesPath` directory has no sibling directories whose names begin with the same prefix. For example, if `pagesPath` is `/srv/pages`, ensure no directory like `/srv/pages-backup` or `/srv/pages_old` exists alongside it. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh - Fix for Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.8 - Fix for Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.8
Affected packages (2)
- Bitnami/parsefrom 0, < 9.5.0
- npm/parse-serverfrom 0, < 8.6.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |