CVE-2026-55778
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-55778 is a stored cross-site scripting (XSS) vulnerability in Parse Server caused by an incomplete file upload extension blocklist that can be bypassed using non-standard or compound file extensions. It affects Parse Server versions >= 9.0.0, < 9.9.1-alpha.11 and <= 8.6.80 (npm package). The vulnerability was published on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v4.0 base score of 2.1 (Low) (GitHub Advisory). This is a follow-up to previously incomplete fixes GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v (Parse Server Advisory).

Détails techniques

The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). Parse Server's fileUpload.fileExtensions blocklist performs exact-match validation against file extensions, meaning a file uploaded with a non-standard or compound extension (e.g., file.svg~, file.html.old) is not matched against the blocklist and passes validation. When the attacker also supplies a dangerous Content-Type header (e.g., image/svg+xml or text/html), storage adapters such as Amazon S3 or Google Cloud Storage (GCS) that persist and serve the original content type will serve the file with the attacker-controlled MIME type. This allows the browser to render the file as active content, enabling stored XSS. The fix refactors FilesRouter.createHandler to additionally evaluate the request's Content-Type against the blocklist whenever the filename extension is not a recognized MIME type (GitHub Advisory, PR #10505).

Impact

Successful exploitation enables stored XSS attacks against other users of the Parse Server application. An authenticated attacker can upload a malicious file that, when opened by a victim, executes arbitrary JavaScript in the victim's browser within the application's origin — potentially leading to session token theft, credential harvesting, or unauthorized actions on behalf of the victim. The impact is limited to integrity and confidentiality of subsequent systems (e.g., browsers of other users), with no direct availability impact. The default GridFS/filesystem adapter partially mitigates rendering via the X-Content-Type-Options: nosniff header, but the upload restriction bypass itself still occurs on all adapters (Parse Server Advisory).

Étapes d’exploitation

  1. Obtain authenticated access: Register or log in to a Parse Server instance running an affected version (<= 8.6.80 or >= 9.0.0, < 9.9.1-alpha.11) that uses S3 or GCS as its storage adapter and allows authenticated file uploads (the default configuration).
  2. Craft a malicious file: Create a file containing an XSS payload (e.g., an SVG file with embedded JavaScript: <svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.cookie)</script></svg>) and name it with a non-standard or compound extension that does not exactly match a blocked extension (e.g., payload.svg~, payload.svg.tmp, or payload.html.old).
  3. Upload with a dangerous Content-Type: Submit the file to the Parse Server file upload endpoint, explicitly setting the Content-Type request header to a dangerous MIME type such as image/svg+xml or text/html. Because the filename extension does not match the blocklist exactly, the upload passes validation.
  4. Retrieve the stored file URL: After a successful upload, Parse Server returns the URL of the stored file on the cloud storage adapter (S3/GCS), which persists and serves the attacker-supplied content type.
  5. Deliver the URL to a victim: Share or embed the file URL in a context where other authenticated users will open it (e.g., a chat message, profile field, or application content). When the victim's browser opens the URL, the cloud storage serves the file with the dangerous content type, causing the browser to render and execute the embedded XSS payload (Parse Server Advisory, PR #10505).

Indicateurs de compromis

  • Network: HTTP file upload requests to the Parse Server file endpoint (/files/) with a Content-Type header of image/svg+xml or text/html but a filename using a non-standard or compound extension (e.g., .svg~, .svg.tmp, .html.old, .html~).
  • Logs: Parse Server access logs showing successful POST /files/ requests where the filename extension does not match the content type's expected extension; subsequent GET requests to the stored file URL from different user sessions.
  • File System / Storage: Files stored in S3 or GCS buckets with non-standard extensions (e.g., .svg~, .html.old) but with metadata Content-Type: image/svg+xml or Content-Type: text/html; file contents containing <script>, <svg>, or JavaScript event handlers (onload, onerror).

Atténuation et solutions de contournement

Upgrade Parse Server to the patched versions: 8.6.81 (LTS) or 9.9.1-alpha.11 (alpha), both released on June 16, 2026. As an immediate workaround, configure fileUpload.fileExtensions as a strict allowlist of only the extensions your application requires (e.g., ["^(png|jpe?g|gif|pdf)$"]) rather than relying on the default blocklist. Additionally, serve uploaded files from a separate domain than the main application to isolate any executed content from the application's origin (Parse Server Advisory, PR #10506).

Réactions de la communauté

The fix was authored and published by Parse Server maintainer mtrezza, who also coordinated the security advisory. The vulnerability was identified as an incomplete fix following two prior related advisories (GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), indicating ongoing attention to file upload security in the Parse Server project. No significant broader media coverage or notable external researcher commentary has been identified at this time (Parse Server Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54527CRITICAL9.3
  • JavaScript logoJavaScript
  • jupyterlab-git
NonOuiJul 08, 2026
CVE-2026-57480HIGH8.7
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55849HIGH8.5
  • JavaScript logoJavaScript
  • @cyclonedx/cyclonedx-npm
NonOuiJul 08, 2026
CVE-2026-57481LOW2.3
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55778LOW2.1
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités