js · parse-serverHeads-up
parse-server: file upload blocklist bypass via content type
Parse Server's file upload extension validation now also evaluates the request content type against the configured blocklist when the filename's extension is no
What changed
Parse Server's file upload extension validation now also evaluates the request content type against the configured blocklist when the filename's extension is not a recognized type, preventing bypass of the blocklist via non-standard extensions.
Who it affects
All Parse Server instances using the default file upload blocklist, especially those with storage adapters that persist and serve the uploaded content type (e.g., S3, GCS).
What to do today
Update Parse Server to the latest patched version. Alternatively, configure fileUpload.fileExtensions as a strict allowlist and serve uploaded files from a separate domain.
The trail
Collected→
Audited→
Written→
Published