Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Impact

The PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages).

This affects any Parse Server deployment with the pages feature enabled (pages.enableRouter: true). Exploitation requires a sibling directory of pagesPath whose name begins with the same string as the pages directory name.

Patches

The fix enforces a path separator boundary in the check, ensuring resolved paths must be strictly inside the pagesPath directory.

Workarounds

Ensure the pagesPath directory has no sibling directories whose names begin with the same prefix. For example, if pagesPath is /srv/pages, ensure no directory like /srv/pages-backup or /srv/pages_old exists alongside it.

References

• GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh
• Fix for Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.8
• Fix for Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.8