Parse Server, an open-source backend framework running on Node.js, includes a PagesRouter component responsible for serving static files from a configured pagesPath directory. In versions prior to 8.6.8 and 9.5.0-alpha.8, the PagesRouter's boundary check for restricting file access is flawed. Instead of properly validating directory traversal attempts by enforcing directory separator boundaries, it uses a simple string prefix comparison. This allows attackers to craft path traversal sequences that bypass the restriction by targeting sibling directories whose names share the same prefix as the intended pages directory (e.g., a directory named 'pages-secret' can be accessed when the intended directory is 'pages'). Consequently, unauthenticated attackers can read arbitrary files outside the designated pagesPath directory, potentially exposing sensitive configuration files, credentials, or other private data. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The issue has been addressed in parse-server versions 8.6.8 and 9.5.0-alpha.8 by correcting the boundary validation logic to properly enforce directory separator boundaries and prevent traversal outside the allowed directory. No known active exploits have been reported, but the vulnerability poses a significant risk to confidentiality if left unpatched.

This vulnerability can lead to unauthorized disclosure of sensitive files on servers running vulnerable versions of parse-server. Attackers can read configuration files, environment variables, source code, or other sensitive data stored in sibling directories, potentially leading to further compromise or data leakage. Since the exploit requires no authentication or user interaction, it can be leveraged by remote attackers with network access to the parse-server instance. Organizations using parse-server as a backend for mobile or web applications may face confidentiality breaches, undermining user trust and regulatory compliance. The impact is primarily on confidentiality, with no direct integrity or availability effects reported. However, exposure of sensitive files could facilitate subsequent attacks such as credential theft or privilege escalation. The medium CVSS score (6.3) reflects the moderate ease of exploitation combined with the potential sensitivity of exposed data. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially in environments with sensitive data or high-value targets.

1. Upgrade parse-server to version 8.6.8 or later, or 9.5.0-alpha.8 or later, where the vulnerability is patched. 2. Review and restrict file system permissions for directories accessible by parse-server, ensuring that sensitive files are not stored in sibling directories with similar prefixes to the pagesPath directory. 3. Implement network-level access controls to limit exposure of parse-server instances to trusted networks or VPNs. 4. Monitor server logs for unusual file access patterns that may indicate exploitation attempts. 5. Employ web application firewalls (WAFs) with rules to detect and block path traversal payloads targeting parse-server endpoints. 6. Conduct regular security audits and penetration testing focusing on file access controls in backend services. 7. Educate development teams about secure coding practices related to path validation and directory traversal prevention. 8. If immediate upgrade is not feasible, consider temporarily disabling the PagesRouter static file serving feature or isolating it behind additional access controls until patched.