Parse Server Content-Type Mismatch Vulnerability in File Uploads

A vulnerability exists in Parse Server versions 8.6.72 and prior to 9.7.1-alpha.4, allowing files to be uploaded with a filename extension that bypasses the extension allowlist. The issue arises when the Content-Type header does not match the extension, such as uploading a file with a .txt extension but a text/html Content-Type. This mismatch is not validated before being passed to the storage adapter. As a result, storage adapters like S3 or GCS, which serve files with the provided Content-Type, will deliver the file with the incorrect type. However, the default GridFS adapter is not impacted, as it determines the Content-Type based on the filename at the time of serving.

Impact

Exploiting this vulnerability can lead to files being served with an incorrect Content-Type, potentially causing issues such as executing malicious files as scripts or misrepresenting file types to users or applications.

Remediation

Users can update to Parse Server versions 9.7.1-alpha.4 or 8.6.73, where this vulnerability has been patched. Alternatively, configure the storage adapter or CDN to derive the Content-Type from the filename extension instead of using the stored Content-Type.