Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: a0b0c69
Author: Manuel
Date: 2026-03-30T23:17:57Z
Commit Message
fix: Streaming file download bypasses afterFind file trigger authorization ([GHSA-hpm8-9qx6-jvwv](https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv)) (#10361)
Pull Request
PR: #10361 - fix: Streaming file download bypasses afterFind file trigger authorization (GHSA-hpm8-9qx6-jvwv)
Labels: state:released-alpha
Description:
Issue
Streaming file download bypasses afterFind file trigger authorization ([GHSA-hpm8-9qx6-jvwv](GHSA-hpm8-9qx6-jvwv))
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
- Bug Fixes
- Authorization enforcement for file downloads has been improved to properly validate user sessions for all download types, including partial content requests.
- Invalid or missing ses...
Analysis
Vulnerability Type: Authorization Bypass
Severity: High
Description
Before the patch, streaming file downloads bypassed the afterFind file trigger authorization, allowing unauthorized users to access protected files by exploiting partial content (Range) requests. The patch enforces authorization checks on all file download types, including streaming (partial content) requests, ensuring that missing or invalid session tokens result in access denial.
Affected Code
if (isFileStreamable(req, filesController)) {
for (const [key, value] of Object.entries(defaultResponseHeaders)) {
res.set(key, value);
}
filesController.handleFileStream(config, filename, req, res, contentType).catch(() => {
res.status(404).send('File not found.');
});
}
Proof of Concept
Send an HTTP GET request to a file URL with a 'Range' header and with missing or invalid session token:
```
GET /files/secret.txt HTTP/1.1
Host: example.com
X-Parse-Application-Id: test
X-Parse-REST-API-Key: rest
Range: bytes=0-2
```
Expected behavior before patch: 200 OK or partial content served, despite no valid user session.
Expected behavior after patch: 403 Forbidden response, denying access to unauthorized partial content requests.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-31T00:04:52.842Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: a0b0c69
Author: Manuel
Date: 2026-03-30T23:17:57Z
Commit Message
Pull Request
PR: #10361 - fix: Streaming file download bypasses afterFind file trigger authorization (GHSA-hpm8-9qx6-jvwv)
Labels: state:released-alpha
Description:
Issue
Streaming file download bypasses afterFind file trigger authorization ([GHSA-hpm8-9qx6-jvwv](GHSA-hpm8-9qx6-jvwv))
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
Analysis
Vulnerability Type: Authorization Bypass
Severity: High
Description
Before the patch, streaming file downloads bypassed the afterFind file trigger authorization, allowing unauthorized users to access protected files by exploiting partial content (Range) requests. The patch enforces authorization checks on all file download types, including streaming (partial content) requests, ensuring that missing or invalid session tokens result in access denial.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-31T00:04:52.842Z