CVE-2026-53724: CWE-434: Unrestricted Upload of File with Dangerous Type in parse-community parse-server
Parse Server versions prior to 8.6.79 and including 9.9.1-alpha.4 have a vulnerability allowing bypass of the default file upload extension blocklist by appending a trailing dot to filenames. This causes the extension parser to extract an empty string, bypassing the blocklist and forwarding the attacker-controlled Content-Type to storage adapters like S3 or GCS. These adapters then serve the file with an active content type, potentially enabling stored cross-site scripting (XSS) when a victim accesses the file URL. The default GridFS adapter is not affected due to its use of X-Content-Type-Options: nosniff. A patch is available in versions 8.6.79 and 9.9.1-alpha.4.
AI Analysis
Technical Summary
Parse Server before versions 8.6.79 and 9.9.1-alpha.4 has a CWE-434 vulnerability where the file upload extension blocklist can be bypassed by appending a trailing dot to a filename (e.g., poc.svg.). This causes the extension parser to extract an empty string, short-circuiting the blocklist check. Consequently, the attacker-controlled Content-Type header is forwarded unchanged to storage adapters such as S3 or GCS, which serve the file with an active MIME type like image/svg+xml. This behavior enables stored XSS attacks when victims open the file URL. The default GridFS adapter mitigates this by setting X-Content-Type-Options: nosniff on responses. The issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
Potential Impact
An attacker can bypass the file upload extension blocklist by using filenames with trailing dots, causing storage adapters like S3 or GCS to serve malicious files with active content types. This enables stored cross-site scripting (XSS) attacks when victims access the uploaded file URLs. The vulnerability does not affect the default GridFS adapter due to its security headers. The CVSS 4.0 score is low (2.1), reflecting limited impact and required privileges.
Mitigation Recommendations
A patch is available and has been applied in Parse Server versions 8.6.79 and 9.9.1-alpha.4. Users should upgrade to these or later versions to remediate this vulnerability. Since this is a cloud service, the vendor manages remediation for hosted instances; verify with the vendor's advisory for cloud-hosted environments. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-53724: CWE-434: Unrestricted Upload of File with Dangerous Type in parse-community parse-server
Description
Parse Server versions prior to 8.6.79 and including 9.9.1-alpha.4 have a vulnerability allowing bypass of the default file upload extension blocklist by appending a trailing dot to filenames. This causes the extension parser to extract an empty string, bypassing the blocklist and forwarding the attacker-controlled Content-Type to storage adapters like S3 or GCS. These adapters then serve the file with an active content type, potentially enabling stored cross-site scripting (XSS) when a victim accesses the file URL. The default GridFS adapter is not affected due to its use of X-Content-Type-Options: nosniff. A patch is available in versions 8.6.79 and 9.9.1-alpha.4.
CVSS v4.0
Score 2.1low
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Parse Server before versions 8.6.79 and 9.9.1-alpha.4 has a CWE-434 vulnerability where the file upload extension blocklist can be bypassed by appending a trailing dot to a filename (e.g., poc.svg.). This causes the extension parser to extract an empty string, short-circuiting the blocklist check. Consequently, the attacker-controlled Content-Type header is forwarded unchanged to storage adapters such as S3 or GCS, which serve the file with an active MIME type like image/svg+xml. This behavior enables stored XSS attacks when victims open the file URL. The default GridFS adapter mitigates this by setting X-Content-Type-Options: nosniff on responses. The issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
Potential Impact
An attacker can bypass the file upload extension blocklist by using filenames with trailing dots, causing storage adapters like S3 or GCS to serve malicious files with active content types. This enables stored cross-site scripting (XSS) attacks when victims access the uploaded file URLs. The vulnerability does not affect the default GridFS adapter due to its security headers. The CVSS 4.0 score is low (2.1), reflecting limited impact and required privileges.
Mitigation Recommendations
A patch is available and has been applied in Parse Server versions 8.6.79 and 9.9.1-alpha.4. Users should upgrade to these or later versions to remediate this vulnerability. Since this is a cloud service, the vendor manages remediation for hosted instances; verify with the vendor's advisory for cloud-hosted environments. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-10T16:43:31.242Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a2c5615e617e2d834b0f47c
Added to database: 6/12/2026, 6:55:17 PM
Last enriched: 6/12/2026, 7:10:06 PM
Last updated: 6/12/2026, 8:06:58 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.