Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 01fb6a9
Author: Manuel
Date: 2026-03-18T23:25:57Z
Commit Message
fix: Locale parameter path traversal in pages router (#10242)
Pull Request
PR: #10242 - fix: Locale parameter path traversal in pages router
Labels: state:released-alpha
Description:
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
-
Bug Fixes
- Added runtime validation to reject malformed or non-string locale parameters, ensuring the default page is served for invalid values.
-
Tests
- Added and updated tests covering locale parameter rejection, including path traversal attempts and malicious payloads; renamed a locale XSS test to reflect rejection behavior.
<!-- end of auto-generated comment: release notes ...
Analysis
Vulnerability Type: Path Traversal
Severity: High
Description
The Pages Router accepted unvalidated locale parameters, which an attacker could use to perform path traversal by supplying locale values with directory traversal sequences. This could allow an attacker to cause the server to serve unintended files outside the expected pages directory, potentially revealing sensitive information or application internals. The patch adds strict validation of the locale parameter to accept only well-formed locale strings, effectively mitigating the path traversal risk.
Affected Code
const locale =
(req.query || {})[pageParams.locale] ||
(req.body || {})[pageParams.locale] ||
(req.params || {})[pageParams.locale] ||
(req.headers || {})[pageParamHeaderPrefix + pageParams.locale];
Proof of Concept
Send a request with a locale parameter containing path traversal sequences such as `../../../tmp-pages-locale-target`:
```
GET /apps/test/request_password_reset?token=x&locale=../../../tmp-pages-locale-target HTTP/1.1
Host: vulnerable-server
```
Before the patch, the server attempts to load the HTML page corresponding to the constructed path inside `pagesPath` appended with the locale path, which leads to reading files outside the intended directory. For example, if the target directory contains a file `password_reset_link_invalid.html` with secret content, the server serves that file instead of the default page, revealing sensitive file contents. After the patch, the locale parameter is rejected if it contains any characters violating the locale pattern, always serving the default page with status 200, thus preventing the path traversal.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-19T00:01:24.736Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 01fb6a9
Author: Manuel
Date: 2026-03-18T23:25:57Z
Commit Message
Pull Request
PR: #10242 - fix: Locale parameter path traversal in pages router
Labels: state:released-alpha
Description:
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
Bug Fixes
Tests
<!-- end of auto-generated comment: release notes ...
Analysis
Vulnerability Type: Path Traversal
Severity: High
Description
The Pages Router accepted unvalidated locale parameters, which an attacker could use to perform path traversal by supplying locale values with directory traversal sequences. This could allow an attacker to cause the server to serve unintended files outside the expected pages directory, potentially revealing sensitive information or application internals. The patch adds strict validation of the locale parameter to accept only well-formed locale strings, effectively mitigating the path traversal risk.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-19T00:01:24.736Z