GHSA-xfh7-phr7-gr2x

Source

https://github.com/advisories/GHSA-xfh7-phr7-gr2x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xfh7-phr7-gr2x/GHSA-xfh7-phr7-gr2x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xfh7-phr7-gr2x

Aliases

Published

2026-03-06T18:45:36Z

Modified

2026-03-16T03:04:44.730017Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction

Details

Impact

The readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey.

Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files.

Patches

The fix adds permission checks to both the file upload and file delete handlers.

Workarounds

There is no workaround other than not using readOnlyMasterKey, or restricting network access to the Files API endpoints.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x
Fix for Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.3
Fix for Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.5

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ],
    "nvd_published_at": "2026-03-06T21:16:16Z",
    "github_reviewed_at": "2026-03-06T18:45:36Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.5.0-alpha.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xfh7-phr7-gr2x/GHSA-xfh7-phr7-gr2x.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xfh7-phr7-gr2x/GHSA-xfh7-phr7-gr2x.json"