Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: fc117ef
Author: Manuel
Date: 2026-04-03T18:41:42Z
Commit Message
feat: Add server option `fileDownload` to restrict file download (#10394)
Pull Request
PR: #10394 - feat: Add server option fileDownload to restrict file download
Labels: state:released-alpha
Description:
Pull Request
Issue
File download and metadata endpoints are fully public with no access control. While fileUpload provides granular permission flags, no equivalent exists for downloads. Developers serving files via CDNs have no way to disable direct downloads through P...
Analysis
Vulnerability Type: Access Control Bypass
Severity: High
Description
Before this patch, file download and file metadata endpoints in Parse Server were fully public with no access controls, allowing unauthorized users to download any stored files directly. This patch introduces the fileDownload configuration option to restrict file downloads and metadata access based on user roles (anonymous, authenticated, public), thereby preventing unauthorized file access.
Affected Code
File download and metadata endpoints are fully public with no access control. While `fileUpload` provides granular permission flags, no equivalent exists for downloads.
Proof of Concept
1. Upload a file to the Parse Server (e.g., test.txt).
2. Without any authentication headers, send a GET request to the file's public URL (e.g., http://localhost:8378/1/files/test.txt).
3. The server responds with HTTP 200 and the file content, despite no access controls.
Example curl command:
curl -X GET http://localhost:8378/1/files/test.txt
This allows attackers to download any file stored on the server without restriction. The patch blocks such requests when configured to disable public downloads.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-04T00:01:32.033Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: fc117ef
Author: Manuel
Date: 2026-04-03T18:41:42Z
Commit Message
Pull Request
PR: #10394 - feat: Add server option
fileDownloadto restrict file downloadLabels: state:released-alpha
Description:
Pull Request
Issue
File download and metadata endpoints are fully public with no access control. While
fileUploadprovides granular permission flags, no equivalent exists for downloads. Developers serving files via CDNs have no way to disable direct downloads through P...Analysis
Vulnerability Type: Access Control Bypass
Severity: High
Description
Before this patch, file download and file metadata endpoints in Parse Server were fully public with no access controls, allowing unauthorized users to download any stored files directly. This patch introduces the
fileDownloadconfiguration option to restrict file downloads and metadata access based on user roles (anonymous, authenticated, public), thereby preventing unauthorized file access.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-04T00:01:32.033Z