DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30848: CVE-2026-30848: Path Traversal Vulnerability in Parse Server PagesRouter

#security #cve #cybersecurity

CVE-2026-30848: Path Traversal Vulnerability in Parse Server PagesRouter

Vulnerability ID: CVE-2026-30848
CVSS Score: 6.3
Published: 2026-03-09

Parse Server's PagesRouter component contains a path traversal vulnerability due to insufficient validation of static file request paths. Unauthenticated attackers can leverage URL-encoded sequences to read files from sibling directories that share the same naming prefix as the configured pages directory.

TL;DR

Parse Server versions prior to 8.6.8 and 9.5.0-alpha.8 are vulnerable to a path traversal attack. The application uses a flawed string prefix comparison for directory boundary checks, allowing unauthenticated attackers to read arbitrary files from sibling directories.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network
  • CVSS Score: 6.3
  • EPSS Percentile: 23.37%
  • Impact: Local File Disclosure
  • Exploit Status: PoC Available
  • Authentication Required: None

Affected Systems

  • Parse Server 8.x
  • Parse Server 9.x
  • Parse Server 8.x: < 8.6.8 (Fixed in: 8.6.8)
  • Parse Server 9.x: < 9.5.0-alpha.8 (Fixed in: 9.5.0-alpha.8)

Code Analysis

Commit: e772543

Fix for path traversal vulnerability in PagesRouter by validating directory separator

Mitigation Strategies

  • Upgrade Parse Server to version 8.6.8 or 9.5.0-alpha.8 (or higher).
  • Rename the pagesPath directory to a unique name that does not share a prefix with other sensitive directories.
  • Deploy WAF rules to detect and block URL-encoded traversal sequences (%2e%2e%2f).

Remediation Steps:

  1. Identify the current Parse Server version running in the environment.
  2. Update the parse-server package in package.json to a patched version (>= 8.6.8 or >= 9.5.0-alpha.8).
  3. Run npm install or yarn install to update the dependencies.
  4. Restart the Parse Server application to apply the changes.
  5. Audit the filesystem structure to ensure no sensitive directories reside as siblings to the pagesPath directory.

References

Read the full report for CVE-2026-30848 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)