
PEACH
Un cadre d’isolation des locataires
CVE-2026-55778 is a stored cross-site scripting (XSS) vulnerability in Parse Server caused by an incomplete file upload extension blocklist that can be bypassed using non-standard or compound file extensions. It affects Parse Server versions >= 9.0.0, < 9.9.1-alpha.11 and <= 8.6.80 (npm package). The vulnerability was published on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v4.0 base score of 2.1 (Low) (GitHub Advisory). This is a follow-up to previously incomplete fixes GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v (Parse Server Advisory).
The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). Parse Server's fileUpload.fileExtensions blocklist performs exact-match validation against file extensions, meaning a file uploaded with a non-standard or compound extension (e.g., file.svg~, file.html.old) is not matched against the blocklist and passes validation. When the attacker also supplies a dangerous Content-Type header (e.g., image/svg+xml or text/html), storage adapters such as Amazon S3 or Google Cloud Storage (GCS) that persist and serve the original content type will serve the file with the attacker-controlled MIME type. This allows the browser to render the file as active content, enabling stored XSS. The fix refactors FilesRouter.createHandler to additionally evaluate the request's Content-Type against the blocklist whenever the filename extension is not a recognized MIME type (GitHub Advisory, PR #10505).
Successful exploitation enables stored XSS attacks against other users of the Parse Server application. An authenticated attacker can upload a malicious file that, when opened by a victim, executes arbitrary JavaScript in the victim's browser within the application's origin — potentially leading to session token theft, credential harvesting, or unauthorized actions on behalf of the victim. The impact is limited to integrity and confidentiality of subsequent systems (e.g., browsers of other users), with no direct availability impact. The default GridFS/filesystem adapter partially mitigates rendering via the X-Content-Type-Options: nosniff header, but the upload restriction bypass itself still occurs on all adapters (Parse Server Advisory).
<= 8.6.80 or >= 9.0.0, < 9.9.1-alpha.11) that uses S3 or GCS as its storage adapter and allows authenticated file uploads (the default configuration).<svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.cookie)</script></svg>) and name it with a non-standard or compound extension that does not exactly match a blocked extension (e.g., payload.svg~, payload.svg.tmp, or payload.html.old).Content-Type request header to a dangerous MIME type such as image/svg+xml or text/html. Because the filename extension does not match the blocklist exactly, the upload passes validation./files/) with a Content-Type header of image/svg+xml or text/html but a filename using a non-standard or compound extension (e.g., .svg~, .svg.tmp, .html.old, .html~).POST /files/ requests where the filename extension does not match the content type's expected extension; subsequent GET requests to the stored file URL from different user sessions..svg~, .html.old) but with metadata Content-Type: image/svg+xml or Content-Type: text/html; file contents containing <script>, <svg>, or JavaScript event handlers (onload, onerror).Upgrade Parse Server to the patched versions: 8.6.81 (LTS) or 9.9.1-alpha.11 (alpha), both released on June 16, 2026. As an immediate workaround, configure fileUpload.fileExtensions as a strict allowlist of only the extensions your application requires (e.g., ["^(png|jpe?g|gif|pdf)$"]) rather than relying on the default blocklist. Additionally, serve uploaded files from a separate domain than the main application to isolate any executed content from the application's origin (Parse Server Advisory, PR #10506).
The fix was authored and published by Parse Server maintainer mtrezza, who also coordinated the security advisory. The vulnerability was identified as an incomplete fix following two prior related advisories (GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), indicating ongoing attention to file upload security in the Parse Server project. No significant broader media coverage or notable external researcher commentary has been identified at this time (Parse Server Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."