GHSA-hpm8-9qx6-jvwv

Source

https://github.com/advisories/GHSA-hpm8-9qx6-jvwv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hpm8-9qx6-jvwv/GHSA-hpm8-9qx6-jvwv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hpm8-9qx6-jvwv

Aliases

Published

2026-04-01T23:09:14Z

Modified

2026-04-06T15:27:18.137809623Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parser Server's streaming file download bypasses afterFind file trigger authorization

Details

Impact

File downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser.

Patches

The streaming file download path now executes the afterFind(Parse.File) trigger before sending any data. Authentication is resolved from the session token header so that trigger validators can distinguish authenticated from unauthenticated requests.

Workarounds

Use beforeFind(Parse.File) instead of afterFind(Parse.File) for file access authorization. The beforeFind trigger runs on all download paths including streaming.

Database specific

{
    "github_reviewed_at": "2026-04-01T23:09:14Z",
    "nvd_published_at": "2026-03-31T20:16:29Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.7.1-alpha.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hpm8-9qx6-jvwv/GHSA-hpm8-9qx6-jvwv.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.71

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hpm8-9qx6-jvwv/GHSA-hpm8-9qx6-jvwv.json"