Can you explain this vulnerability to me?

This vulnerability affects the PagesRouter component in the Parse Server backend, specifically versions before 8.6.8 and between 9.0.0 and 9.5.0-alpha.8. It is a path traversal flaw that allows unauthenticated attackers to read files outside the intended static file directory (pagesPath).

The issue arises because the boundary check used to restrict file access relies on a string prefix comparison without enforcing a directory separator boundary. This means an attacker can use path traversal sequences to access sibling directories whose names start with the same prefix as the pagesPath directory (for example, if pagesPath is /srv/pages, an attacker could access /srv/pages-secret).

Exploitation requires that the pages feature is enabled and that such sibling directories exist. The vulnerability allows reading unauthorized files remotely without any privileges or user interaction.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to read files outside the intended static file directory on your Parse Server deployment. This could lead to unauthorized disclosure of sensitive information stored in sibling directories that share a prefix with the pagesPath directory.

The confidentiality impact is considered low, as the attacker can only read files but cannot modify or delete them. There is no impact on integrity or availability.

The attack is low complexity, requires no privileges or user interaction, and can be performed remotely over the network.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the PagesRouter static file serving route for path traversal attempts that access files outside the configured pagesPath directory.

You can attempt to access files in sibling directories whose names share the same prefix as the pagesPath directory by sending HTTP requests with path traversal sequences (e.g., ../) to the PagesRouter endpoint.

For example, using curl to test if files outside the pagesPath directory are accessible:

• curl -v http://<parse-server-host>/pages/../pages-secret/somefile
• curl -v http://<parse-server-host>/pages/..%2Fpages-secret%2Fsomefile

If these requests return contents of files outside the intended directory, the system is vulnerable.

Additionally, verify if the Parse Server version is prior to 8.6.8 or between 9.0.0 and 9.5.0-alpha.8, and if the pages feature is enabled (pages.enableRouter: true), as these are conditions for exploitation.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade Parse Server to a patched version: 8.6.8 or later, or 9.5.0-alpha.8 or later.

If upgrading immediately is not possible, you can apply workarounds such as ensuring that no sibling directories exist with names sharing the same prefix as the pagesPath directory (e.g., avoid directories like /srv/pages-backup alongside /srv/pages).

Also, consider disabling the pages feature by setting pages.enableRouter to false if it is not required.

These steps help prevent exploitation by removing the conditions necessary for the path traversal attack.

Useful 0 Not Useful 0