Skip to main content

CVE-2026-35200

LOW
Interpretation Conflict (CWE-436)
2026-04-04 https://github.com/parse-community/parse-server GHSA-vr5f-2r24-w5hc
2.1
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 04, 2026 - 04:30 vuln.today
Patch released
Apr 04, 2026 - 04:30 nvd
Patch available
CVE Published
Apr 04, 2026 - 04:22 nvd
LOW 2.1

DescriptionGitHub Advisory

Impact

A file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time.

Patches

The file upload now derives the Content-Type from the filename extension, overriding any user-provided Content-Type when the file has an extension.

Workarounds

Configure the storage adapter or CDN to derive Content-Type from the filename extension instead of using the stored Content-Type.

AnalysisAI

Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.

Technical ContextAI

Parse Server is a Node.js backend framework that provides file upload functionality through pluggable storage adapters. The vulnerability exists in the file upload pipeline where user-supplied Content-Type headers are passed to storage adapters (S3, GCS, etc.) without validation against the filename extension. This creates a TOCTOU-like inconsistency: the allowlist validation checks only the filename extension (enforcing safe extensions like .txt), but the Content-Type header-which controls how the file is interpreted by browsers and CDNs-is left under attacker control. Cloud storage services like AWS S3 and Google Cloud Storage respect the metadata Content-Type field when serving files, causing them to deliver .txt files with text/html Content-Type, triggering browser interpretation as HTML. The GridFS adapter (MongoDB's native storage) is not vulnerable because it reconstructs Content-Type from the filename at serving time, overriding stored metadata. The root cause is classified under CWE-436 (Interpretation Conflict), a variant of TOCTOU where different components interpret the same input differently. The affected product is the npm package parse-server across versions prior to the patch releases.

RemediationAI

Upgrade Parse Server to the patched version released in response to GitHub pull requests #10383 or #10384, which implement Content-Type derivation from filename extensions, overriding any user-supplied Content-Type header. Exact patched version numbers can be found in the release notes linked from the GitHub advisory at https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc. For teams unable to upgrade immediately, configure the storage adapter (S3, GCS, or CDN) to derive Content-Type from the filename extension rather than using the stored metadata Content-Type value. Additionally, implement filename extension allowlisting at the storage adapter level as a defense-in-depth measure.

Share

CVE-2026-35200 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy