Parse Server, Path Traversal, CVE-2026-30848 (Medium)

Listen to this Post

The vulnerability exists in the PagesRouter static file serving route of Parse Server. The boundary check to prevent directory traversal uses a string prefix comparison to ensure a requested file path starts with the configured `pagesPath` directory. This check fails to enforce a directory separator boundary, meaning it does not verify that the compared prefix ends with a path separator like ‘/’. An attacker can exploit this by using path traversal sequences (../) to navigate up the directory tree and then access files in sibling directories. This attack is only successful if a sibling directory’s name shares the same prefix as the pages directory (e.g., `pagesPath` is `/srv/pages` and a directory named `/srv/pages-secret` exists). The string check sees that the path to the secret file starts with `/srv/pages` and incorrectly allows access. The attack requires the pages feature to be enabled (pages.enableRouter: true) and is performed without authentication. The official fix now enforces a path separator boundary, ensuring resolved paths are strictly inside the intended directory .
Platform: Parse Server
Version: <8.6.8, <9.5.0-alpha.8
Vulnerability: Path Traversal
Severity: Medium (CVSS 6.3)
Date: March 7, 2026

Prediction: Patches available

What Undercode Say:

Analytics

The vulnerability is identified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS v4.0 vector string is `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` . This indicates a network-based attack with low complexity, but requires the presence of a sibling directory with a specific naming pattern. The attack requires no privileges or user interaction and has a low impact on confidentiality.

How Exploit:

An attacker could exploit this using a crafted HTTP request to the PagesRouter. The following curl command demonstrates a potential exploit if a sibling directory named `pages-secret` exists alongside the `pages` directory:

curl "http://target-parse-server.com/pages/../pages-secret/config.json"

Protection from this CVE:

  1. Immediate Patching: Update Parse Server to version 8.6.8 or 9.5.0-alpha.8 (or later) using npm:
    npm install [email protected]
    or for the 9.x alpha stream
    npm install [email protected]
    
  2. Workaround: If immediate patching is not possible, rename or move any sibling directories that share the same prefix as the `pagesPath` directory. For example, change `/srv/pages-secret` to /srv/secret-pages. Use `find` to check for such directories:
    Check for sibling directories starting with the same name
    find /srv -maxdepth 1 -type d -name "pages"
    

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files from sibling directories of the pagesPath. This could lead to the exposure of sensitive configuration data, source code, or secrets stored on the server, potentially leading to further system compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top