Parse Server: File upload Content-Type override via extension mismatch

Description

Impact

A file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time.

Patches

The file upload now derives the Content-Type from the filename extension, overriding any user-provided Content-Type when the file has an extension.

Workarounds

Configure the storage adapter or CDN to derive Content-Type from the filename extension instead of using the stored Content-Type.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-04 04:22:11 UTC
Updated
2026-04-06 23:43:31 UTC
GitHub reviewed
2026-04-04 04:22:11 UTC
NVD published
2026-04-06

EPSS Score

Score Percentile
0.03% 7.86%

CVSS Scores

Base score Version Severity Vector
2.1 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:L)
Limited confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:L)
Limited integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-436 Interpretation Conflict

Credits

  • offset (reporter)
  • mtrezza (coordinator)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm parse-server >= 9.0.0, < 9.7.1-alpha.4 9.7.1-alpha.4
npm parse-server <= 8.6.72 8.6.73

References

cvelogic Threat Intelligence