CVE-2026-53724 Overview
CVE-2026-53724 affects Parse Server, an open source Node.js backend deployed across diverse infrastructure. The vulnerability allows attackers to bypass the default file upload extension blocklist by appending a trailing dot to a filename such as poc.svg.. The extension parser returns an empty string, short-circuiting the blocklist check. The attacker-controlled Content-Type header is then forwarded unchanged to the storage adapter. Storage adapters that preserve the supplied Content-Type (such as Amazon S3 or Google Cloud Storage) subsequently serve the file as image/svg+xml, enabling stored Cross-Site Scripting (XSS) [CWE-79] when a victim opens the file URL.
Critical Impact
Authenticated attackers can upload SVG or HTML payloads that execute JavaScript in a victim's browser session, leading to session hijacking and account compromise.
Affected Products
- Parse Server versions prior to 8.6.79
- Parse Server versions prior to 9.9.1-alpha.4
- Deployments using S3 or GCS storage adapters (the default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff)
Discovery Timeline
- 2026-06-12 - CVE-2026-53724 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-53724
Vulnerability Analysis
Parse Server enforces a default blocklist on uploaded file extensions to prevent active content types from being stored and served. The blocklist check relies on an extension parser that splits the filename on the final dot to extract the extension. When an attacker submits a filename with a trailing dot, such as payload.svg., the parser returns an empty string rather than svg. The blocklist contains no entry for an empty extension, so the upload proceeds.
The second flaw compounds the bypass. Parse Server passes the client-supplied Content-Type directly to the storage backend without revalidation against the actual file contents or extension. Storage adapters that persist response metadata (Amazon S3, Google Cloud Storage) replay the attacker-chosen MIME type when the file is later requested.
Root Cause
The root cause is improper input validation in the extension parsing logic combined with implicit trust of client-supplied Content-Type headers. The empty-string return from the parser short-circuits the security control rather than failing closed. See GitHub Security Advisory GHSA-7wqv-xjf3-x35v for vendor analysis.
Attack Vector
An attacker with upload privileges crafts a multipart upload containing a filename ending in a dot and a Content-Type of image/svg+xml or text/html. The file body contains a JavaScript payload wrapped in SVG or HTML markup. Parse Server accepts the upload, S3 or GCS stores the object with the supplied content type, and the file URL is returned. When a victim opens that URL, the browser renders the payload as active content and executes the script in the Parse Server origin context.
No synthetic exploit code is reproduced here. Technical details are available in GitHub Pull Request #10489 and GitHub Pull Request #10490.
Detection Methods for CVE-2026-53724
Indicators of Compromise
- Uploaded file objects whose filenames end with a trailing dot, particularly preceded by svg, html, htm, xml, or js
- S3 or GCS objects stored with Content-Type: image/svg+xml or text/html originating from the Parse Server upload pipeline
- Outbound script callbacks (beacon traffic, token exfiltration) from browsers immediately after a user opens a Parse-hosted file URL
Detection Strategies
- Inspect Parse Server access logs for POST /parse/files/ requests with filenames matching the regex \.[A-Za-z0-9]+\.$
- Query the configured object store for objects where the recorded Content-Type belongs to an active rendering type and the source key was written by Parse Server
- Correlate file-open events with subsequent suspicious DOM-based network activity to surface stored XSS execution
Monitoring Recommendations
- Enable verbose logging on the Parse Server file controller and forward events into a centralized analytics platform for retrospective hunting
- Add alerting on storage-bucket PUT operations carrying image/svg+xml or text/html from application service accounts that normally upload binary assets
- Track browser-side error and console events from users interacting with Parse-hosted URLs to identify exploitation attempts
How to Mitigate CVE-2026-53724
Immediate Actions Required
- Upgrade Parse Server to version 8.6.79 or 9.9.1-alpha.4 as published in the vendor advisory
- Audit existing uploaded files for trailing-dot filenames and active Content-Type values and quarantine matches
- Rotate any session tokens or API keys that may have been exposed to users who opened attacker-controlled URLs
Patch Information
The fix is delivered in Parse Server 8.6.79 and 9.9.1-alpha.4. The patches normalize filenames by stripping trailing dots before extension parsing and reject uploads whose computed extension is empty. They also constrain the Content-Type forwarded to storage adapters. Refer to GitHub Pull Request #10489 and GitHub Pull Request #10490 for the code-level changes.
Workarounds
- Switch to the default GridFS storage adapter, which sets X-Content-Type-Options: nosniff and blocks MIME-based rendering
- Place a reverse proxy or CDN in front of S3/GCS file URLs that rewrites response headers to add X-Content-Type-Options: nosniff and forces Content-Disposition: attachment
- Serve user-uploaded files from a sandboxed domain isolated from the Parse Server application origin to neutralize stored XSS impact
# Upgrade Parse Server to a patched release
npm install parse-server@8.6.79
# or for the 9.x track
npm install parse-server@9.9.1-alpha.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

