Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: dd7cc41
Author: Manuel
Date: 2026-04-02T01:19:26Z
Commit Message
fix: File upload Content-Type override via extension mismatch ([GHSA-vr5f-2r24-w5hc](https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc)) (#10383)
Pull Request
PR: #10383 - fix: File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc)
Labels: state:released-alpha
Description:
Issue
File upload Content-Type override via extension mismatch ([GHSA-vr5f-2r24-w5hc](GHSA-vr5f-2r24-w5hc))
Tasks
Analysis
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Severity: High
Description
The code previously allowed clients to upload files where the declared Content-Type header could be overridden by an extension mismatch, permitting an attacker to upload a script payload (e.g., .txt file with 'text/html' Content-Type) that would be served as an executable script, leading to stored XSS. The patch fixes this by overriding the Content-Type to match the file extension-derived MIME type, preventing attackers from tricking the system into serving malicious scripts with a spoofed Content-Type.
Affected Code
const mime = (await import('mime')).default
if (!hasExtension && contentType && mime.getExtension(contentType)) {
filename = filename + '.' + mime.getExtension(contentType);
} else if (hasExtension && !contentType) {
contentType = mime.getType(filename);
Proof of Concept
HTTP POST to /1/files/evil.txt with headers:
Content-Type: text/html
Body (base64): '<script>alert(1)</script>'
Before patch: File stored as text/html despite .txt extension, causing stored XSS when served.
After patch: Content-Type overridden to 'text/plain', preventing script execution.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-02T06:00:39.800Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: dd7cc41
Author: Manuel
Date: 2026-04-02T01:19:26Z
Commit Message
Pull Request
PR: #10383 - fix: File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc)
Labels: state:released-alpha
Description:
Issue
File upload Content-Type override via extension mismatch ([GHSA-vr5f-2r24-w5hc](GHSA-vr5f-2r24-w5hc))
Tasks
Analysis
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Severity: High
Description
The code previously allowed clients to upload files where the declared Content-Type header could be overridden by an extension mismatch, permitting an attacker to upload a script payload (e.g., .txt file with 'text/html' Content-Type) that would be served as an executable script, leading to stored XSS. The patch fixes this by overriding the Content-Type to match the file extension-derived MIME type, preventing attackers from tricking the system into serving malicious scripts with a spoofed Content-Type.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-02T06:00:39.800Z