CVE-2026-30848

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7::::node.js::*

History

No history.

Information

Published : 2026-03-07 17:15

Updated : 2026-03-10 16:56

NVD link : CVE-2026-30848

Mitre link : CVE-2026-30848

CVE.ORG link : CVE-2026-30848

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-30848", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-07T17:15:52.190", "references": [{"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8."}, {"lang": "es", "value": "Parse Server es un backend de c\u00f3digo abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.8 y 9.5.0-alpha.8, la ruta de servicio de archivos est\u00e1ticos de PagesRouter es vulnerable a un ataque de salto de ruta que permite la lectura no autenticada de archivos fuera del directorio pagesPath configurado. La verificaci\u00f3n de l\u00edmites utiliza una comparaci\u00f3n de prefijo de cadena sin aplicar un l\u00edmite de separador de directorio. Un atacante puede usar secuencias de salto de ruta para acceder a archivos en directorios hermanos cuyos nombres comparten el mismo prefijo que el directorio pages (por ejemplo, pages-secret comienza con pages). Este problema ha sido parcheado en las versiones 8.6.8 y 9.5.0-alpha.8."}], "lastModified": "2026-03-10T16:56:59.753", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7BAC0476-CA4F-42DB-BDA2-365203EDCAA7", "versionEndExcluding": "8.6.8"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "77A07A2F-C8ED-4D78-A9C0-66AB42F69F38", "versionEndExcluding": "9.5.0", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3E9F95CF-EEE1-42FC-904E-321F05E3DE4E"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5C02D6F0-5A3A-45F5-8A74-F75A8CCAE7DE"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "103C9745-031B-4822-A19C-A61375FBB1AD"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8D67029D-C1BD-4D46-A84F-C52B4D364268"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3B10930D-B416-4D9A-BA26-F0AD22BFAE28"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "72794836-5CFB-4928-BB22-D7DE813809B4"}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.5.0:alpha7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FA2C4C1E-3AE6-48E0-8B59-80554AE85BB0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}