Plateforme
nodejs
Composant
parse-server
Corrigé dans
8.6.9
9.5.1
8.6.9
9.5.1
8.6.8
CVE-2026-30848 is a Path Traversal vulnerability discovered in Parse Server. This flaw allows unauthenticated attackers to potentially read sensitive files outside the intended pagesPath directory. The vulnerability impacts Parse Server deployments where the pages feature is enabled (pages.enableRouter: true) and affects versions prior to 8.6.8. Upgrade to version 8.6.8 to resolve this issue.
The primary impact of CVE-2026-30848 is unauthorized file access. An attacker can exploit this vulnerability by crafting malicious requests containing path traversal sequences (e.g., ../../../../etc/passwd) to bypass the intended directory boundary. Successful exploitation could lead to the disclosure of sensitive configuration files, source code, or other data stored on the server. The blast radius is limited to the server hosting the Parse Server instance and any files accessible through the pagesPath route. While the CVSS score is LOW, the potential for sensitive data exposure warrants immediate attention.
CVE-2026-30848 was published on 2026-03-09. The vulnerability's severity is pending further evaluation beyond the initial CVSS 3.7 (LOW) score. No public Proof-of-Concept (POC) exploits have been publicly disclosed at the time of writing. There are no indications of active campaigns targeting this vulnerability. Refer to the official Parse Server advisory for more details.
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2026-30848 is to upgrade Parse Server to version 8.6.8 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing stricter path validation within the PagesRouter route to prevent traversal sequences. This could involve whitelisting allowed file extensions or implementing more robust directory boundary checks. Additionally, review the pagesPath configuration to ensure it does not contain any sensitive information. After upgrading, confirm the fix by attempting a path traversal attack using a known malicious payload and verifying that access is denied.
Mettez à jour Parse Server à la version 8.6.8 ou supérieure, ou à la version 9.5.0-alpha.8 ou supérieure. Cela corrige la vulnérabilité de parcours de chemin dans le PagesRouter.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-30848 is a Path Traversal vulnerability in Parse Server affecting versions before 8.6.8. It allows unauthenticated attackers to read files outside the configured pagesPath directory, potentially exposing sensitive data.
You are affected if you are using Parse Server with the pages feature enabled and running a version prior to 8.6.8. Check your version using parse-server --version.
Upgrade to Parse Server version 8.6.8 or later. If immediate upgrade isn't possible, implement stricter path validation within the PagesRouter route.
There are currently no public reports or indications of active exploitation campaigns targeting CVE-2026-30848.
Refer to the official Parse Server documentation and security advisories for the most up-to-date information regarding CVE-2026-30848.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.