chore(release): 9.3.0-alpha.3 [skip ci]

# [9.3.0-alpha.3](https://github.com/parse-community/parse-server/compare/9.3.0-alpha.2...9.3.0-alpha.3) (2026-02-07) ### Features * Add `Parse.File.url` validation with config `fileUpload.allowedFileUrlDomains` against SSRF attacks ([#10044](https://github.com/parse-community/parse-server/issues/10044)) ([4c9c948](4c9c9489f0))
feat: Add Parse.File.url validation with config fileUpload.allowedFileUrlDomains against SSRF attacks (#10044 )
2026-02-07 17:04:27 +00:00 · 2026-02-07 17:03:39 +00:00 · 2026-02-07 01:11:09 +00:00 · 2026-02-06 16:42:52 +00:00 · 2026-02-06 16:31:03 +00:00 · 2026-02-06 16:30:13 +00:00
28 changed files with 1190 additions and 336 deletions
--- a/README.md
+++ b/README.md
@@ -68,6 +68,7 @@ A big _thank you_ 🙏 to our [sponsors](#sponsors) and [backers](#backers) who
  - [Using Environment Variables](#using-environment-variables)
  - [Available Adapters](#available-adapters)
  - [Configuring File Adapters](#configuring-file-adapters)
+    - [Restricting File URL Domains](#restricting-file-url-domains)
  - [Idempotency Enforcement](#idempotency-enforcement)
  - [Localization](#localization)
    - [Pages](#pages)
@@ -491,6 +492,33 @@ Parse Server allows developers to choose from several options when hosting files

 `GridFSBucketAdapter` is used by default and requires no setup, but if you're interested in using Amazon S3, Google Cloud Storage, or local file storage, additional configuration information is available in the [Parse Server guide](http://docs.parseplatform.org/parse-server/guide/#configuring-file-adapters).

+### Restricting File URL Domains
+
+Parse objects can reference files by URL. To prevent [SSRF attacks](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) via crafted file URLs, you can restrict the allowed URL domains using the `fileUpload.allowedFileUrlDomains` option.
+
+This protects against scenarios where an attacker provides a `Parse.File` with an arbitrary URL, for example as a Cloud Function parameter or in a field of type `Object` or `Array`. If Cloud Code or a client calls `getData()` on such a file, the Parse SDK makes an HTTP request to that URL, potentially leaking the server or client IP address and accessing internal services.
+
+> [!NOTE]
+> Fields of type `Parse.File` in the Parse schema are not affected by this attack, because Parse Server discards the URL on write and dynamically generates it on read based on the file adapter configuration.
+
+```javascript
+const parseServer = new ParseServer({
+  ...otherOptions,
+  fileUpload: {
+    allowedFileUrlDomains: ['cdn.example.com', '*.example.com'],
+  },
+});
+```
+
+| Parameter | Optional | Type | Default | Environment Variable |
+|---|---|---|---|---|
+| `fileUpload.allowedFileUrlDomains` | yes | `String[]` | `['*']` | `PARSE_SERVER_FILE_UPLOAD_ALLOWED_FILE_URL_DOMAINS` |
+
+- `['*']` (default) allows file URLs with any domain.
+- `['cdn.example.com']` allows only exact hostname matches.
+- `['*.example.com']` allows any subdomain of `example.com`.
+- `[]` blocks all file URLs; only files referenced by name are allowed.
+
 ## Idempotency Enforcement

 **Caution, this is an experimental feature that may not be appropriate for production.**
--- a/changelogs/CHANGELOG_alpha.md
+++ b/changelogs/CHANGELOG_alpha.md
@@ -1,3 +1,24 @@
+# [9.3.0-alpha.3](https://github.com/parse-community/parse-server/compare/9.3.0-alpha.2...9.3.0-alpha.3) (2026-02-07)
+
+
+### Features
+
+* Add `Parse.File.url` validation with config `fileUpload.allowedFileUrlDomains` against SSRF attacks ([#10044](https://github.com/parse-community/parse-server/issues/10044)) ([4c9c948](https://github.com/parse-community/parse-server/commit/4c9c9489f062bec6d751b23f4a68aea2a63936bd))
+
+# [9.3.0-alpha.2](https://github.com/parse-community/parse-server/compare/9.3.0-alpha.1...9.3.0-alpha.2) (2026-02-06)
+
+
+### Bug Fixes
+
+* Default HTML pages for password reset, email verification not found ([#10041](https://github.com/parse-community/parse-server/issues/10041)) ([a4265bb](https://github.com/parse-community/parse-server/commit/a4265bb1241551b7147e8aee08c36e1f8ab09ba4))
+
+# [9.3.0-alpha.1](https://github.com/parse-community/parse-server/compare/9.2.1-alpha.2...9.3.0-alpha.1) (2026-02-06)
+
+
+### Features
+
+* Add event information to `verifyUserEmails`, `preventLoginWithUnverifiedEmail` to identify invoking signup / login action and auth provider ([#9963](https://github.com/parse-community/parse-server/issues/9963)) ([ed98c15](https://github.com/parse-community/parse-server/commit/ed98c15f90f2fa6a66780941fd3705b805d6eb14))
+
 ## [9.2.1-alpha.2](https://github.com/parse-community/parse-server/compare/9.2.1-alpha.1...9.2.1-alpha.2) (2026-02-06)


--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "parse-server",
-  "version": "9.2.1-alpha.2",
+  "version": "9.3.0-alpha.3",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "parse-server",
-      "version": "9.2.1-alpha.2",
+      "version": "9.3.0-alpha.3",
      "hasInstallScript": true,
      "license": "Apache-2.0",
      "dependencies": {
@@ -18,7 +18,7 @@
        "@parse/fs-files-adapter": "3.0.0",
        "@parse/push-adapter": "8.2.0",
        "bcryptjs": "3.0.3",
-        "commander": "14.0.2",
+        "commander": "14.0.3",
        "cors": "2.8.6",
        "deepcopy": "2.1.0",
        "express": "5.2.1",
@@ -73,7 +73,7 @@
        "@semantic-release/git": "10.0.1",
        "@semantic-release/github": "11.0.3",
        "@semantic-release/npm": "12.0.1",
-        "@semantic-release/release-notes-generator": "14.0.3",
+        "@semantic-release/release-notes-generator": "14.1.0",
        "all-node-versions": "13.0.1",
        "apollo-upload-client": "18.0.1",
        "clean-jsdoc-theme": "4.3.0",
@@ -98,7 +98,7 @@
        "node-abort-controller": "3.1.1",
        "node-fetch": "3.2.10",
        "nyc": "17.1.0",
-        "prettier": "2.0.5",
+        "prettier": "3.8.1",
        "semantic-release": "24.2.5",
        "typescript": "5.8.3",
        "typescript-eslint": "8.53.1",
@@ -5814,9 +5814,9 @@
      }
    },
    "node_modules/@semantic-release/release-notes-generator": {
-      "version": "14.0.3",
-      "resolved": "https://registry.npmjs.org/@semantic-release/release-notes-generator/-/release-notes-generator-14.0.3.tgz",
-      "integrity": "sha512-XxAZRPWGwO5JwJtS83bRdoIhCiYIx8Vhr+u231pQAsdFIAbm19rSVJLdnBN+Avvk7CKvNQE/nJ4y7uqKH6WTiw==",
+      "version": "14.1.0",
+      "resolved": "https://registry.npmjs.org/@semantic-release/release-notes-generator/-/release-notes-generator-14.1.0.tgz",
+      "integrity": "sha512-CcyDRk7xq+ON/20YNR+1I/jP7BYKICr1uKd1HHpROSnnTdGqOTburi4jcRiTYz0cpfhxSloQO3cGhnoot7IEkA==",
      "dev": true,
      "dependencies": {
        "conventional-changelog-angular": "^8.0.0",
@@ -8555,9 +8555,9 @@
      }
    },
    "node_modules/commander": {
-      "version": "14.0.2",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.2.tgz",
-      "integrity": "sha512-TywoWNNRbhoD0BXs1P3ZEScW8W5iKrnbithIl0YH+uCmBd0QpPOA8yc82DS3BIE5Ma6FnBVUsJ7wVUDz4dvOWQ==",
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
+      "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
      "engines": {
        "node": ">=20"
      }
@@ -18772,15 +18772,19 @@
      }
    },
    "node_modules/prettier": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.0.5.tgz",
-      "integrity": "sha512-7PtVymN48hGcO4fGjybyBSIWDsLU4H4XlvOHfq91pz9kkGlonzwTfYkaIEwiRg/dAJF9YlbsduBAgtYLi+8cFg==",
+      "version": "3.8.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.1.tgz",
+      "integrity": "sha512-UOnG6LftzbdaHZcKoPFtOcCKztrQ57WkHDeRD9t/PTQtmT0NHSeWWepj6pS0z/N7+08BHFDQVUrfmfMRcZwbMg==",
      "dev": true,
+      "license": "MIT",
      "bin": {
-        "prettier": "bin-prettier.js"
+        "prettier": "bin/prettier.cjs"
      },
      "engines": {
-        "node": ">=10.13.0"
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/prettier/prettier?sponsor=1"
      }
    },
    "node_modules/pretty-ms": {
@@ -26486,9 +26490,9 @@
      }
    },
    "@semantic-release/release-notes-generator": {
-      "version": "14.0.3",
-      "resolved": "https://registry.npmjs.org/@semantic-release/release-notes-generator/-/release-notes-generator-14.0.3.tgz",
-      "integrity": "sha512-XxAZRPWGwO5JwJtS83bRdoIhCiYIx8Vhr+u231pQAsdFIAbm19rSVJLdnBN+Avvk7CKvNQE/nJ4y7uqKH6WTiw==",
+      "version": "14.1.0",
+      "resolved": "https://registry.npmjs.org/@semantic-release/release-notes-generator/-/release-notes-generator-14.1.0.tgz",
+      "integrity": "sha512-CcyDRk7xq+ON/20YNR+1I/jP7BYKICr1uKd1HHpROSnnTdGqOTburi4jcRiTYz0cpfhxSloQO3cGhnoot7IEkA==",
      "dev": true,
      "requires": {
        "conventional-changelog-angular": "^8.0.0",
@@ -28403,9 +28407,9 @@
      }
    },
    "commander": {
-      "version": "14.0.2",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.2.tgz",
-      "integrity": "sha512-TywoWNNRbhoD0BXs1P3ZEScW8W5iKrnbithIl0YH+uCmBd0QpPOA8yc82DS3BIE5Ma6FnBVUsJ7wVUDz4dvOWQ=="
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
+      "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw=="
    },
    "commondir": {
      "version": "1.0.1",
@@ -35479,9 +35483,9 @@
      "dev": true
    },
    "prettier": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.0.5.tgz",
-      "integrity": "sha512-7PtVymN48hGcO4fGjybyBSIWDsLU4H4XlvOHfq91pz9kkGlonzwTfYkaIEwiRg/dAJF9YlbsduBAgtYLi+8cFg==",
+      "version": "3.8.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.1.tgz",
+      "integrity": "sha512-UOnG6LftzbdaHZcKoPFtOcCKztrQ57WkHDeRD9t/PTQtmT0NHSeWWepj6pS0z/N7+08BHFDQVUrfmfMRcZwbMg==",
      "dev": true
    },
    "pretty-ms": {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "parse-server",
-  "version": "9.2.1-alpha.2",
+  "version": "9.3.0-alpha.3",
  "description": "An express module providing a Parse-compatible API server",
  "main": "lib/index.js",
  "repository": {
@@ -28,7 +28,7 @@
    "@parse/fs-files-adapter": "3.0.0",
    "@parse/push-adapter": "8.2.0",
    "bcryptjs": "3.0.3",
-    "commander": "14.0.2",
+    "commander": "14.0.3",
    "cors": "2.8.6",
    "deepcopy": "2.1.0",
    "express": "5.2.1",
@@ -80,7 +80,7 @@
    "@semantic-release/git": "10.0.1",
    "@semantic-release/github": "11.0.3",
    "@semantic-release/npm": "12.0.1",
-    "@semantic-release/release-notes-generator": "14.0.3",
+    "@semantic-release/release-notes-generator": "14.1.0",
    "all-node-versions": "13.0.1",
    "apollo-upload-client": "18.0.1",
    "clean-jsdoc-theme": "4.3.0",
@@ -105,7 +105,7 @@
    "node-abort-controller": "3.1.1",
    "node-fetch": "3.2.10",
    "nyc": "17.1.0",
-    "prettier": "2.0.5",
+    "prettier": "3.8.1",
    "semantic-release": "24.2.5",
    "typescript": "5.8.3",
    "typescript-eslint": "8.53.1",
--- a/resources/buildConfigDefinitions.js
+++ b/resources/buildConfigDefinitions.js
@@ -158,6 +158,11 @@ function mapperFor(elt, t) {
    return wrap(t.identifier('booleanParser'));
  } else if (t.isObjectTypeAnnotation(elt)) {
    return wrap(t.identifier('objectParser'));
+  } else if (t.isUnionTypeAnnotation(elt)) {
+    const unionTypes = elt.typeAnnotation?.types || elt.types;
+    if (unionTypes?.some(type => t.isBooleanTypeAnnotation(type)) && unionTypes?.some(type => t.isFunctionTypeAnnotation(type))) {
+      return wrap(t.identifier('booleanOrFunctionParser'));
+    }
  } else if (t.isGenericTypeAnnotation(elt)) {
    const type = elt.typeAnnotation.id.name;
    if (type == 'Adapter') {
--- a/spec/Deprecator.spec.js
+++ b/spec/Deprecator.spec.js
@@ -70,4 +70,37 @@ describe('Deprecator', () => {
    Deprecator.scanParseServerOptions({ databaseOptions: { testOption: true } });
    expect(logSpy).not.toHaveBeenCalled();
  });
+
+  it('logs deprecation for allowedFileUrlDomains when not set', async () => {
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+
+    // Pass a fresh fileUpload object without allowedFileUrlDomains to avoid
+    // inheriting the mutated default from a previous reconfigureServer() call.
+    await reconfigureServer({
+      fileUpload: {
+        enableForPublic: true,
+        enableForAnonymousUser: true,
+        enableForAuthenticatedUser: true,
+      },
+    });
+    expect(logSpy).toHaveBeenCalledWith(
+      jasmine.objectContaining({
+        optionKey: 'fileUpload.allowedFileUrlDomains',
+        changeNewDefault: '[]',
+      })
+    );
+  });
+
+  it('does not log deprecation for allowedFileUrlDomains when explicitly set', async () => {
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+
+    await reconfigureServer({
+      fileUpload: { allowedFileUrlDomains: ['*'] },
+    });
+    expect(logSpy).not.toHaveBeenCalledWith(
+      jasmine.objectContaining({
+        optionKey: 'fileUpload.allowedFileUrlDomains',
+      })
+    );
+  });
 });
--- a/spec/EmailVerificationToken.spec.js
+++ b/spec/EmailVerificationToken.spec.js
@@ -288,7 +288,15 @@ describe('Email Verification Token Expiration:', () => {
    };
    const verifyUserEmails = {
      method(req) {
-        expect(Object.keys(req)).toEqual(['original', 'object', 'master', 'ip', 'installationId']);
+        expect(Object.keys(req)).toEqual([
+          'original',
+          'object',
+          'master',
+          'ip',
+          'installationId',
+          'createdWith',
+        ]);
+        expect(req.createdWith).toEqual({ action: 'signup', authProvider: 'password' });
        return false;
      },
    };
@@ -349,7 +357,15 @@ describe('Email Verification Token Expiration:', () => {
    };
    const verifyUserEmails = {
      method(req) {
-        expect(Object.keys(req)).toEqual(['original', 'object', 'master', 'ip', 'installationId']);
+        expect(Object.keys(req)).toEqual([
+          'original',
+          'object',
+          'master',
+          'ip',
+          'installationId',
+          'createdWith',
+        ]);
+        expect(req.createdWith).toEqual({ action: 'signup', authProvider: 'password' });
        if (req.object.get('username') === 'no_email') {
          return false;
        }
@@ -384,6 +400,144 @@ describe('Email Verification Token Expiration:', () => {
    expect(verifySpy).toHaveBeenCalledTimes(5);
  });

+  it('provides createdWith on signup when verification blocks session creation', async () => {
+    const verifyUserEmails = {
+      method: params => {
+        expect(params.object).toBeInstanceOf(Parse.User);
+        expect(params.createdWith).toEqual({ action: 'signup', authProvider: 'password' });
+        return true;
+      },
+    };
+    const verifySpy = spyOn(verifyUserEmails, 'method').and.callThrough();
+    await reconfigureServer({
+      appName: 'emailVerifyToken',
+      verifyUserEmails: verifyUserEmails.method,
+      preventLoginWithUnverifiedEmail: true,
+      preventSignupWithUnverifiedEmail: true,
+      emailAdapter: MockEmailAdapterWithOptions({
+        fromAddress: 'parse@example.com',
+        apiKey: 'k',
+        domain: 'd',
+      }),
+      publicServerURL: 'http://localhost:8378/1',
+    });
+
+    const user = new Parse.User();
+    user.setUsername('signup_created_with');
+    user.setPassword('pass');
+    user.setEmail('signup@example.com');
+    const res = await user.signUp().catch(e => e);
+    expect(res.message).toBe('User email is not verified.');
+    expect(user.getSessionToken()).toBeUndefined();
+    expect(verifySpy).toHaveBeenCalledTimes(2); // before signup completion and on preventLoginWithUnverifiedEmail
+  });
+
+  it('provides createdWith with auth provider on login verification', async () => {
+    const user = new Parse.User();
+    user.setUsername('user_created_with_login');
+    user.setPassword('pass');
+    user.set('email', 'login@example.com');
+    await user.signUp();
+
+    const verifyUserEmails = {
+      method: async params => {
+        expect(params.object).toBeInstanceOf(Parse.User);
+        expect(params.createdWith).toEqual({ action: 'login', authProvider: 'password' });
+        return true;
+      },
+    };
+    const verifyUserEmailsSpy = spyOn(verifyUserEmails, 'method').and.callThrough();
+    await reconfigureServer({
+      appName: 'emailVerifyToken',
+      publicServerURL: 'http://localhost:8378/1',
+      verifyUserEmails: verifyUserEmails.method,
+      preventLoginWithUnverifiedEmail: verifyUserEmails.method,
+      preventSignupWithUnverifiedEmail: true,
+      emailAdapter: MockEmailAdapterWithOptions({
+        fromAddress: 'parse@example.com',
+        apiKey: 'k',
+        domain: 'd',
+      }),
+    });
+
+    const res = await Parse.User.logIn('user_created_with_login', 'pass').catch(e => e);
+    expect(res.code).toBe(205);
+    expect(verifyUserEmailsSpy).toHaveBeenCalledTimes(2); // before login completion and on preventLoginWithUnverifiedEmail
+  });
+
+  it('provides createdWith with auth provider on signup verification', async () => {
+    const createdWithValues = [];
+    const verifyUserEmails = {
+      method: params => {
+        createdWithValues.push(params.createdWith);
+        return true;
+      },
+    };
+    const verifySpy = spyOn(verifyUserEmails, 'method').and.callThrough();
+    await reconfigureServer({
+      appName: 'emailVerifyToken',
+      verifyUserEmails: verifyUserEmails.method,
+      preventLoginWithUnverifiedEmail: true,
+      preventSignupWithUnverifiedEmail: true,
+      emailAdapter: MockEmailAdapterWithOptions({
+        fromAddress: 'parse@example.com',
+        apiKey: 'k',
+        domain: 'd',
+      }),
+      publicServerURL: 'http://localhost:8378/1',
+    });
+
+    const provider = {
+      authData: { id: '8675309', access_token: 'jenny' },
+      shouldError: false,
+      authenticate(options) {
+        options.success(this, this.authData);
+      },
+      restoreAuthentication() {
+        return true;
+      },
+      getAuthType() {
+        return 'facebook';
+      },
+      deauthenticate() {},
+    };
+    Parse.User._registerAuthenticationProvider(provider);
+    const res = await Parse.User._logInWith('facebook').catch(e => e);
+    expect(res.message).toBe('User email is not verified.');
+    // Called once in createSessionTokenIfNeeded (no email set, so _validateEmail skips)
+    expect(verifySpy).toHaveBeenCalledTimes(1);
+    expect(createdWithValues[0]).toEqual({ action: 'signup', authProvider: 'facebook' });
+  });
+
+  it('provides createdWith for preventLoginWithUnverifiedEmail function', async () => {
+    const user = new Parse.User();
+    user.setUsername('user_prevent_login_fn');
+    user.setPassword('pass');
+    user.set('email', 'preventlogin@example.com');
+    await user.signUp();
+
+    const preventLoginCreatedWith = [];
+    await reconfigureServer({
+      appName: 'emailVerifyToken',
+      publicServerURL: 'http://localhost:8378/1',
+      verifyUserEmails: true,
+      preventLoginWithUnverifiedEmail: params => {
+        preventLoginCreatedWith.push(params.createdWith);
+        return true;
+      },
+      emailAdapter: MockEmailAdapterWithOptions({
+        fromAddress: 'parse@example.com',
+        apiKey: 'k',
+        domain: 'd',
+      }),
+    });
+
+    const res = await Parse.User.logIn('user_prevent_login_fn', 'pass').catch(e => e);
+    expect(res.code).toBe(205);
+    expect(preventLoginCreatedWith.length).toBe(1);
+    expect(preventLoginCreatedWith[0]).toEqual({ action: 'login', authProvider: 'password' });
+  });
+
  it_id('d812de87-33d1-495e-a6e8-3485f6dc3589')(it)('can conditionally send user email verification', async () => {
    const emailAdapter = {
      sendVerificationEmail: () => {},
@@ -779,6 +933,7 @@ describe('Email Verification Token Expiration:', () => {
        expect(params.master).toBeDefined();
        expect(params.installationId).toBeDefined();
        expect(params.resendRequest).toBeTrue();
+        expect(params.createdWith).toBeUndefined();
        return true;
      },
    };
--- a/spec/FileUrlValidator.spec.js
+++ b/spec/FileUrlValidator.spec.js
@@ -0,0 +1,141 @@
+'use strict';
+
+const { validateFileUrl, validateFileUrlsInObject } = require('../src/FileUrlValidator');
+
+describe('FileUrlValidator', () => {
+  describe('validateFileUrl', () => {
+    it('allows null, undefined, and empty string URLs', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: [] } };
+      expect(() => validateFileUrl(null, config)).not.toThrow();
+      expect(() => validateFileUrl(undefined, config)).not.toThrow();
+      expect(() => validateFileUrl('', config)).not.toThrow();
+    });
+
+    it('allows any URL when allowedFileUrlDomains contains wildcard', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['*'] } };
+      expect(() => validateFileUrl('http://malicious.example.com/file.txt', config)).not.toThrow();
+      expect(() => validateFileUrl('http://malicious.example.com/leak', config)).not.toThrow();
+    });
+
+    it('allows any URL when allowedFileUrlDomains is not an array', () => {
+      expect(() => validateFileUrl('http://example.com/file', {})).not.toThrow();
+      expect(() => validateFileUrl('http://example.com/file', { fileUpload: {} })).not.toThrow();
+      expect(() => validateFileUrl('http://example.com/file', null)).not.toThrow();
+    });
+
+    it('rejects all URLs when allowedFileUrlDomains is empty', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: [] } };
+      expect(() => validateFileUrl('http://example.com/file', config)).toThrowError(
+        /not allowed/
+      );
+    });
+
+    it('allows URLs matching exact hostname', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['cdn.example.com'] } };
+      expect(() => validateFileUrl('https://cdn.example.com/files/test.txt', config)).not.toThrow();
+    });
+
+    it('rejects URLs not matching any allowed hostname', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['cdn.example.com'] } };
+      expect(() => validateFileUrl('http://malicious.example.com/file', config)).toThrowError(
+        /not allowed/
+      );
+    });
+
+    it('supports wildcard subdomain matching', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['*.example.com'] } };
+      expect(() => validateFileUrl('https://cdn.example.com/file.txt', config)).not.toThrow();
+      expect(() => validateFileUrl('https://us-east.cdn.example.com/file.txt', config)).not.toThrow();
+      expect(() => validateFileUrl('https://example.net/file.txt', config)).toThrowError(
+        /not allowed/
+      );
+    });
+
+    it('performs case-insensitive hostname matching', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['CDN.Example.COM'] } };
+      expect(() => validateFileUrl('https://cdn.example.com/file.txt', config)).not.toThrow();
+    });
+
+    it('throws on invalid URL strings', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['example.com'] } };
+      expect(() => validateFileUrl('not-a-url', config)).toThrowError(
+        /Invalid file URL/
+      );
+    });
+
+    it('supports multiple allowed domains', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['cdn1.example.com', 'cdn2.example.com'] } };
+      expect(() => validateFileUrl('https://cdn1.example.com/file.txt', config)).not.toThrow();
+      expect(() => validateFileUrl('https://cdn2.example.com/file.txt', config)).not.toThrow();
+      expect(() => validateFileUrl('https://cdn3.example.com/file.txt', config)).toThrowError(
+        /not allowed/
+      );
+    });
+
+    it('does not allow partial hostname matches', () => {
+      const config = { fileUpload: { allowedFileUrlDomains: ['example.com'] } };
+      expect(() => validateFileUrl('https://notexample.com/file.txt', config)).toThrowError(
+        /not allowed/
+      );
+      expect(() => validateFileUrl('https://example.com.malicious.example.com/file.txt', config)).toThrowError(
+        /not allowed/
+      );
+    });
+  });
+
+  describe('validateFileUrlsInObject', () => {
+    const config = { fileUpload: { allowedFileUrlDomains: ['example.com'] } };
+
+    it('validates file URLs in flat objects', () => {
+      expect(() =>
+        validateFileUrlsInObject(
+          { file: { __type: 'File', name: 'test.txt', url: 'http://malicious.example.com/file' } },
+          config
+        )
+      ).toThrowError(/not allowed/);
+    });
+
+    it('validates file URLs in nested objects', () => {
+      expect(() =>
+        validateFileUrlsInObject(
+          { nested: { deep: { file: { __type: 'File', name: 'test.txt', url: 'http://malicious.example.com/file' } } } },
+          config
+        )
+      ).toThrowError(/not allowed/);
+    });
+
+    it('validates file URLs in arrays', () => {
+      expect(() =>
+        validateFileUrlsInObject(
+          [{ __type: 'File', name: 'test.txt', url: 'http://malicious.example.com/file' }],
+          config
+        )
+      ).toThrowError(/not allowed/);
+    });
+
+    it('allows files without URLs', () => {
+      expect(() =>
+        validateFileUrlsInObject(
+          { file: { __type: 'File', name: 'test.txt' } },
+          config
+        )
+      ).not.toThrow();
+    });
+
+    it('allows files with permitted URLs', () => {
+      expect(() =>
+        validateFileUrlsInObject(
+          { file: { __type: 'File', name: 'test.txt', url: 'http://example.com/file.txt' } },
+          config
+        )
+      ).not.toThrow();
+    });
+
+    it('handles null, undefined, and primitive values', () => {
+      expect(() => validateFileUrlsInObject(null, config)).not.toThrow();
+      expect(() => validateFileUrlsInObject(undefined, config)).not.toThrow();
+      expect(() => validateFileUrlsInObject('string', config)).not.toThrow();
+      expect(() => validateFileUrlsInObject(42, config)).not.toThrow();
+    });
+  });
+});
--- a/spec/PagesRouter.spec.js
+++ b/spec/PagesRouter.spec.js
@@ -225,9 +225,7 @@ describe('Pages Router', () => {
        expect(Config.get(Parse.applicationId).pages.forceRedirect).toBe(
          Definitions.PagesOptions.forceRedirect.default
        );
-        expect(Config.get(Parse.applicationId).pages.pagesPath).toBe(
-          Definitions.PagesOptions.pagesPath.default
-        );
+        expect(Config.get(Parse.applicationId).pages.pagesPath).toBeUndefined();
        expect(Config.get(Parse.applicationId).pages.pagesEndpoint).toBe(
          Definitions.PagesOptions.pagesEndpoint.default
        );
@@ -1236,6 +1234,36 @@ describe('Pages Router', () => {
    });
  });

+  describe('pagesPath resolution', () => {
+    it('should serve pages when current working directory differs from module directory', async () => {
+      const originalCwd = process.cwd();
+      const os = require('os');
+      process.chdir(os.tmpdir());
+
+      try {
+        await reconfigureServer({
+          appId: 'test',
+          appName: 'exampleAppname',
+          publicServerURL: 'http://localhost:8378/1',
+          pages: { enableRouter: true },
+        });
+
+        // Request the password reset page with an invalid token;
+        // even with an invalid token, the server should serve the
+        // "invalid link" page (200), not a 404. A 404 indicates the
+        // HTML template files could not be found because pagesPath
+        // resolved to the wrong directory.
+        const response = await request({
+          url: 'http://localhost:8378/1/apps/test/request_password_reset?token=invalidToken',
+        }).catch(e => e);
+        expect(response.status).toBe(200);
+        expect(response.text).toContain('Invalid password reset link');
+      } finally {
+        process.chdir(originalCwd);
+      }
+    });
+  });
+
  describe('XSS Protection', () => {
    beforeEach(async () => {
      await reconfigureServer({
--- a/spec/ParseFile.spec.js
+++ b/spec/ParseFile.spec.js
@@ -1368,6 +1368,34 @@ describe('Parse.File testing', () => {
          },
        })
      ).toBeRejectedWith('fileUpload.fileExtensions must be an array.');
+      await expectAsync(
+        reconfigureServer({
+          fileUpload: {
+            allowedFileUrlDomains: 'not-an-array',
+          },
+        })
+      ).toBeRejectedWith('fileUpload.allowedFileUrlDomains must be an array.');
+      await expectAsync(
+        reconfigureServer({
+          fileUpload: {
+            allowedFileUrlDomains: [123],
+          },
+        })
+      ).toBeRejectedWith('fileUpload.allowedFileUrlDomains must contain only non-empty strings.');
+      await expectAsync(
+        reconfigureServer({
+          fileUpload: {
+            allowedFileUrlDomains: [''],
+          },
+        })
+      ).toBeRejectedWith('fileUpload.allowedFileUrlDomains must contain only non-empty strings.');
+      await expectAsync(
+        reconfigureServer({
+          fileUpload: {
+            allowedFileUrlDomains: ['example.com'],
+          },
+        })
+      ).toBeResolved();
    });
  });

@@ -1625,4 +1653,229 @@ describe('Parse.File testing', () => {
      expect(b.url).toMatch(/^http:\/\/localhost:8378\/1\/files\/test\/.*file.html$/);
    });
  });
+
+  describe('File URL domain validation for SSRF prevention', () => {
+    it('rejects cloud function call with disallowed file URL', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: [],
+        },
+      });
+
+      Parse.Cloud.define('setUserIcon', () => {});
+
+      await expectAsync(
+        Parse.Cloud.run('setUserIcon', {
+          file: { __type: 'File', name: 'file.txt', url: 'http://malicious.example.com/leak' },
+        })
+      ).toBeRejectedWith(
+        jasmine.objectContaining({ message: jasmine.stringMatching(/not allowed/) })
+      );
+    });
+
+    it('rejects REST API create with disallowed file URL', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: [],
+        },
+      });
+
+      await expectAsync(
+        request({
+          method: 'POST',
+          url: 'http://localhost:8378/1/classes/TestObject',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-REST-API-Key': 'rest',
+          },
+          body: {
+            file: {
+              __type: 'File',
+              name: 'test.txt',
+              url: 'http://malicious.example.com/file',
+            },
+          },
+        })
+      ).toBeRejectedWith(jasmine.objectContaining({ status: 400 }));
+    });
+
+    it('rejects REST API update with disallowed file URL', async () => {
+      const obj = new Parse.Object('TestObject');
+      await obj.save();
+
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: [],
+        },
+      });
+
+      await expectAsync(
+        request({
+          method: 'PUT',
+          url: `http://localhost:8378/1/classes/TestObject/${obj.id}`,
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-REST-API-Key': 'rest',
+          },
+          body: {
+            file: {
+              __type: 'File',
+              name: 'test.txt',
+              url: 'http://malicious.example.com/file',
+            },
+          },
+        })
+      ).toBeRejectedWith(jasmine.objectContaining({ status: 400 }));
+    });
+
+    it('allows file URLs matching configured domains', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: ['cdn.example.com'],
+        },
+      });
+
+      Parse.Cloud.define('setUserIcon', () => 'ok');
+
+      const result = await Parse.Cloud.run('setUserIcon', {
+        file: { __type: 'File', name: 'file.txt', url: 'http://cdn.example.com/file.txt' },
+      });
+      expect(result).toBe('ok');
+    });
+
+    it('allows file URLs when default wildcard is used', async () => {
+      Parse.Cloud.define('setUserIcon', () => 'ok');
+
+      const result = await Parse.Cloud.run('setUserIcon', {
+        file: { __type: 'File', name: 'file.txt', url: 'http://example.com/file.txt' },
+      });
+      expect(result).toBe('ok');
+    });
+
+    it('allows files with server-hosted URLs even when domains are restricted', async () => {
+      const file = new Parse.File('test.txt', [1, 2, 3]);
+      await file.save();
+
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: ['localhost'],
+        },
+      });
+
+      const result = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/TestObject',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: {
+          file: {
+            __type: 'File',
+            name: file.name(),
+            url: file.url(),
+          },
+        },
+      });
+      expect(result.status).toBe(201);
+    });
+
+    it('allows REST API create with file URL when default wildcard is used', async () => {
+      const result = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/TestObject',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: {
+          file: {
+            __type: 'File',
+            name: 'test.txt',
+            url: 'http://example.com/file.txt',
+          },
+        },
+      });
+      expect(result.status).toBe(201);
+    });
+
+    it('allows cloud function with name-only file when domains are restricted', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: [],
+        },
+      });
+
+      Parse.Cloud.define('processFile', req => req.params.file.name());
+
+      const result = await Parse.Cloud.run('processFile', {
+        file: { __type: 'File', name: 'test.txt' },
+      });
+      expect(result).toBe('test.txt');
+    });
+
+    it('rejects disallowed file URL in array field', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: [],
+        },
+      });
+
+      await expectAsync(
+        request({
+          method: 'POST',
+          url: 'http://localhost:8378/1/classes/TestObject',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-REST-API-Key': 'rest',
+          },
+          body: {
+            files: [
+              {
+                __type: 'File',
+                name: 'test.txt',
+                url: 'http://malicious.example.com/file',
+              },
+            ],
+          },
+        })
+      ).toBeRejectedWith(jasmine.objectContaining({ status: 400 }));
+    });
+
+    it('rejects disallowed file URL nested in object', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          allowedFileUrlDomains: [],
+        },
+      });
+
+      await expectAsync(
+        request({
+          method: 'POST',
+          url: 'http://localhost:8378/1/classes/TestObject',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Parse-Application-Id': 'test',
+            'X-Parse-REST-API-Key': 'rest',
+          },
+          body: {
+            data: {
+              nested: {
+                file: {
+                  __type: 'File',
+                  name: 'test.txt',
+                  url: 'http://malicious.example.com/file',
+                },
+              },
+            },
+          },
+        })
+      ).toBeRejectedWith(jasmine.objectContaining({ status: 400 }));
+    });
+  });
 });
--- a/spec/ParseGraphQLServer.spec.js
+++ b/spec/ParseGraphQLServer.spec.js
@@ -10240,6 +10240,52 @@ describe('ParseGraphQLServer', () => {
          }
        });

+        it('should reject file with disallowed URL domain', async () => {
+          try {
+            parseServer = await global.reconfigureServer({
+              publicServerURL: 'http://localhost:13377/parse',
+              fileUpload: {
+                allowedFileUrlDomains: [],
+              },
+            });
+            await createGQLFromParseServer(parseServer);
+
+            const schemaController = await parseServer.config.databaseController.loadSchema();
+            await schemaController.addClassIfNotExists('SomeClass', {
+              someField: { type: 'File' },
+            });
+            await resetGraphQLCache();
+            await parseGraphQLServer.parseGraphQLSchema.schemaCache.clear();
+
+            const createResult = await apolloClient.mutate({
+              mutation: gql`
+                mutation CreateSomeObject($fields: CreateSomeClassFieldsInput) {
+                  createSomeClass(input: { fields: $fields }) {
+                    someClass {
+                      id
+                    }
+                  }
+                }
+              `,
+              variables: {
+                fields: {
+                  someField: {
+                    file: {
+                      name: 'test.txt',
+                      url: 'http://malicious.example.com/leak',
+                      __type: 'File',
+                    },
+                  },
+                },
+              },
+            });
+            fail('should have thrown');
+            expect(createResult).toBeUndefined();
+          } catch (e) {
+            expect(e.message).toMatch(/not allowed/);
+          }
+        });
+
        it('should support files on required file', async () => {
          try {
            parseServer = await global.reconfigureServer({
--- a/spec/ValidationAndPasswordsReset.spec.js
+++ b/spec/ValidationAndPasswordsReset.spec.js
@@ -284,6 +284,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
        expect(params.ip).toBeDefined();
        expect(params.master).toBeDefined();
        expect(params.installationId).toBeDefined();
+        expect(params.createdWith).toEqual({ action: 'login', authProvider: 'password' });
        return true;
      },
    };
--- a/spec/buildConfigDefinitions.spec.js
+++ b/spec/buildConfigDefinitions.spec.js
@@ -133,6 +133,72 @@ describe('buildConfigDefinitions', () => {
      expect(result.property.name).toBe('arrayParser');
    });

+    it('should return booleanOrFunctionParser for UnionTypeAnnotation containing boolean (nullable)', () => {
+      const mockElement = {
+        type: 'UnionTypeAnnotation',
+        typeAnnotation: {
+          types: [
+            { type: 'BooleanTypeAnnotation' },
+            { type: 'FunctionTypeAnnotation' },
+          ],
+        },
+      };
+
+      const result = mapperFor(mockElement, t);
+
+      expect(t.isMemberExpression(result)).toBe(true);
+      expect(result.object.name).toBe('parsers');
+      expect(result.property.name).toBe('booleanOrFunctionParser');
+    });
+
+    it('should return booleanOrFunctionParser for UnionTypeAnnotation containing boolean (non-nullable)', () => {
+      const mockElement = {
+        type: 'UnionTypeAnnotation',
+        types: [
+          { type: 'BooleanTypeAnnotation' },
+          { type: 'FunctionTypeAnnotation' },
+        ],
+      };
+
+      const result = mapperFor(mockElement, t);
+
+      expect(t.isMemberExpression(result)).toBe(true);
+      expect(result.object.name).toBe('parsers');
+      expect(result.property.name).toBe('booleanOrFunctionParser');
+    });
+
+    it('should return undefined for UnionTypeAnnotation without boolean', () => {
+      const mockElement = {
+        type: 'UnionTypeAnnotation',
+        typeAnnotation: {
+          types: [
+            { type: 'StringTypeAnnotation' },
+            { type: 'NumberTypeAnnotation' },
+          ],
+        },
+      };
+
+      const result = mapperFor(mockElement, t);
+
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined for UnionTypeAnnotation with boolean but without function', () => {
+      const mockElement = {
+        type: 'UnionTypeAnnotation',
+        typeAnnotation: {
+          types: [
+            { type: 'BooleanTypeAnnotation' },
+            { type: 'VoidTypeAnnotation' },
+          ],
+        },
+      };
+
+      const result = mapperFor(mockElement, t);
+
+      expect(result).toBeUndefined();
+    });
+
    it('should return objectParser for unknown GenericTypeAnnotation', () => {
      const mockElement = {
        type: 'GenericTypeAnnotation',
--- a/spec/parsers.spec.js
+++ b/spec/parsers.spec.js
@@ -3,6 +3,7 @@ const {
  numberOrBoolParser,
  numberOrStringParser,
  booleanParser,
+  booleanOrFunctionParser,
  objectParser,
  arrayParser,
  moduleOrObjectParser,
@@ -48,6 +49,23 @@ describe('parsers', () => {
    expect(parser(2)).toEqual(false);
  });

+  it('parses correctly with booleanOrFunctionParser', () => {
+    const parser = booleanOrFunctionParser;
+    // Preserves functions
+    const fn = () => true;
+    expect(parser(fn)).toBe(fn);
+    const asyncFn = async () => false;
+    expect(parser(asyncFn)).toBe(asyncFn);
+    // Parses booleans and string booleans like booleanParser
+    expect(parser(true)).toEqual(true);
+    expect(parser(false)).toEqual(false);
+    expect(parser('true')).toEqual(true);
+    expect(parser('false')).toEqual(false);
+    expect(parser('1')).toEqual(true);
+    expect(parser(1)).toEqual(true);
+    expect(parser(0)).toEqual(false);
+  });
+
  it('parses correctly with objectParser', () => {
    const parser = objectParser;
    expect(parser({ hello: 'world' })).toEqual({ hello: 'world' });
--- a/src/Config.js
+++ b/src/Config.js
@@ -326,9 +326,7 @@ export class Config {
    } else if (!isBoolean(pages.forceRedirect)) {
      throw 'Parse Server option pages.forceRedirect must be a boolean.';
    }
-    if (pages.pagesPath === undefined) {
-      pages.pagesPath = PagesOptions.pagesPath.default;
-    } else if (!isString(pages.pagesPath)) {
+    if (pages.pagesPath !== undefined && !isString(pages.pagesPath)) {
      throw 'Parse Server option pages.pagesPath must be a string.';
    }
    if (pages.pagesEndpoint === undefined) {
@@ -552,6 +550,17 @@ export class Config {
    } else if (!Array.isArray(fileUpload.fileExtensions)) {
      throw 'fileUpload.fileExtensions must be an array.';
    }
+    if (fileUpload.allowedFileUrlDomains === undefined) {
+      fileUpload.allowedFileUrlDomains = FileUploadOptions.allowedFileUrlDomains.default;
+    } else if (!Array.isArray(fileUpload.allowedFileUrlDomains)) {
+      throw 'fileUpload.allowedFileUrlDomains must be an array.';
+    } else {
+      for (const domain of fileUpload.allowedFileUrlDomains) {
+        if (typeof domain !== 'string' || domain === '') {
+          throw 'fileUpload.allowedFileUrlDomains must contain only non-empty strings.';
+        }
+      }
+    }
  }

  static validateIps(field, masterKeyIps) {
--- a/src/Controllers/DatabaseController.js
+++ b/src/Controllers/DatabaseController.js
@@ -499,6 +499,12 @@ class DatabaseController {
    } catch (error) {
      return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
    }
+    try {
+      const { validateFileUrlsInObject } = require('../FileUrlValidator');
+      validateFileUrlsInObject(update, this.options);
+    } catch (error) {
+      return Promise.reject(error instanceof Parse.Error ? error : new Parse.Error(Parse.Error.FILE_SAVE_ERROR, error.message || error));
+    }
    const originalQuery = query;
    const originalUpdate = update;
    // Make a copy of the object, so we don't mutate the incoming data.
@@ -836,6 +842,12 @@ class DatabaseController {
    } catch (error) {
      return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
    }
+    try {
+      const { validateFileUrlsInObject } = require('../FileUrlValidator');
+      validateFileUrlsInObject(object, this.options);
+    } catch (error) {
+      return Promise.reject(error instanceof Parse.Error ? error : new Parse.Error(Parse.Error.FILE_SAVE_ERROR, error.message || error));
+    }
    // Make a copy of the object, so we don't mutate the incoming data.
    const originalObject = object;
    object = transformObjectACL(object);
--- a/src/Deprecator/Deprecations.js
+++ b/src/Deprecator/Deprecations.js
@@ -15,4 +15,10 @@
 *
 * If there are no deprecations, this must return an empty array.
 */
-module.exports = [];
+module.exports = [
+  {
+    optionKey: 'fileUpload.allowedFileUrlDomains',
+    changeNewDefault: '[]',
+    solution: "Set 'fileUpload.allowedFileUrlDomains' to the domains you want to allow, or to '[]' to block all file URLs.",
+  },
+];
--- a/src/FileUrlValidator.js
+++ b/src/FileUrlValidator.js
@@ -0,0 +1,68 @@
+const Parse = require('parse/node').Parse;
+
+/**
+ * Validates whether a File URL is allowed based on the configured allowed domains.
+ * @param {string} fileUrl - The URL to validate.
+ * @param {Object} config - The Parse Server config object.
+ * @throws {Parse.Error} If the URL is not allowed.
+ */
+function validateFileUrl(fileUrl, config) {
+  if (fileUrl == null || fileUrl === '') {
+    return;
+  }
+
+  const domains = config?.fileUpload?.allowedFileUrlDomains;
+  if (!Array.isArray(domains) || domains.includes('*')) {
+    return;
+  }
+
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(fileUrl);
+  } catch {
+    throw new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `Invalid file URL.`);
+  }
+
+  const fileHostname = parsedUrl.hostname.toLowerCase();
+  for (const domain of domains) {
+    const d = domain.toLowerCase();
+    if (fileHostname === d) {
+      return;
+    }
+    if (d.startsWith('*.') && fileHostname.endsWith(d.slice(1))) {
+      return;
+    }
+  }
+
+  throw new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File URL domain '${parsedUrl.hostname}' is not allowed.`);
+}
+
+/**
+ * Recursively scans an object for File type fields and validates their URLs.
+ * @param {any} obj - The object to scan.
+ * @param {Object} config - The Parse Server config object.
+ * @throws {Parse.Error} If any File URL is not allowed.
+ */
+function validateFileUrlsInObject(obj, config) {
+  if (obj == null || typeof obj !== 'object') {
+    return;
+  }
+  if (Array.isArray(obj)) {
+    for (const item of obj) {
+      validateFileUrlsInObject(item, config);
+    }
+    return;
+  }
+  if (obj.__type === 'File' && obj.url) {
+    validateFileUrl(obj.url, config);
+    return;
+  }
+  for (const key of Object.keys(obj)) {
+    const value = obj[key];
+    if (value && typeof value === 'object') {
+      validateFileUrlsInObject(value, config);
+    }
+  }
+}
+
+module.exports = { validateFileUrl, validateFileUrlsInObject };
--- a/src/GraphQL/transformers/mutation.js
+++ b/src/GraphQL/transformers/mutation.js
@@ -97,6 +97,10 @@ const transformers = {
      const { fileInfo } = await handleUpload(upload, config);
      return { ...fileInfo, __type: 'File' };
    } else if (file && file.name) {
+      if (file.url) {
+        const { validateFileUrl } = require('../../FileUrlValidator');
+        validateFileUrl(file.url, config);
+      }
      return { name: file.name, __type: 'File', url: file.url };
    }
    throw new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'Invalid file upload.');
--- a/src/Options/Definitions.js
+++ b/src/Options/Definitions.js
--- a/src/Options/docs.js
+++ b/src/Options/docs.js
@@ -84,7 +84,7 @@
 * @property {String} playgroundPath Mount path for the GraphQL Playground, defaults to /playground
 * @property {Number} port The port to run the ParseServer, defaults to 1337.
 * @property {Boolean} preserveFileName Enable (or disable) the addition of a unique hash to the file names
- * @property {Boolean} preventLoginWithUnverifiedEmail Set to `true` to prevent a user from logging in if the email has not yet been verified and email verification is required.<br><br>Default is `false`.<br>Requires option `verifyUserEmails: true`.
+ * @property {Boolean} preventLoginWithUnverifiedEmail Set to `true` to prevent a user from logging in if the email has not yet been verified and email verification is required. Supports a function with a return value of `true` or `false` for conditional prevention. The function receives a request object that includes `createdWith` to indicate whether the invocation is for `signup` or `login` and the used auth provider.<br><br>The `createdWith` values per scenario:<ul><li>Password signup: `{ action: 'signup', authProvider: 'password' }`</li><li>Auth provider signup: `{ action: 'signup', authProvider: '<provider>' }`</li><li>Password login: `{ action: 'login', authProvider: 'password' }`</li><li>Auth provider login: function not invoked; auth provider login bypasses email verification</li></ul>Default is `false`.<br>Requires option `verifyUserEmails: true`.
 * @property {Boolean} preventSignupWithUnverifiedEmail If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.<br><br>Default is `false`.<br>Requires option `verifyUserEmails: true`.
 * @property {ProtectedFields} protectedFields Protected fields that should be treated with extra security when fetching details.
 * @property {Union} publicServerURL Optional. The public URL to Parse Server. This URL will be used to reach Parse Server publicly for features like password reset and email verification links. The option can be set to a string or a function that can be asynchronously resolved. The returned URL string must start with `http://` or `https://`.
@@ -108,7 +108,7 @@
 * @property {String[]} userSensitiveFields Personally identifiable information fields in the user table the should be removed for non-authorized users. Deprecated @see protectedFields
 * @property {Boolean} verbose Set the logging to verbose
 * @property {Boolean} verifyServerUrl Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.<br><br>⚠️ Server URL verification requires Parse Server to be able to call itself by making requests to the URL set in `serverURL`.<br><br>Default is `true`.
- * @property {Boolean} verifyUserEmails Set to `true` to require users to verify their email address to complete the sign-up process. Supports a function with a return value of `true` or `false` for conditional verification.<br><br>Default is `false`.
+ * @property {Boolean} verifyUserEmails Set to `true` to require users to verify their email address to complete the sign-up process. Supports a function with a return value of `true` or `false` for conditional verification. The function receives a request object that includes `createdWith` to indicate whether the invocation is for `signup` or `login` and the used auth provider.<br><br>The `createdWith` values per scenario:<ul><li>Password signup: `{ action: 'signup', authProvider: 'password' }`</li><li>Auth provider signup: `{ action: 'signup', authProvider: '<provider>' }`</li><li>Password login: `{ action: 'login', authProvider: 'password' }`</li><li>Auth provider login: function not invoked; auth provider login bypasses email verification</li><li>Resend verification email: `createdWith` is `undefined`; use the `resendRequest` property to identify those</li></ul>Default is `false`.
 * @property {String} webhookKey Key sent with outgoing webhook calls
 */

@@ -142,7 +142,7 @@
 * @property {String} localizationFallbackLocale The fallback locale for localization if no matching translation is provided for the given locale. This is only relevant when providing translation resources via JSON file.
 * @property {String} localizationJsonPath The path to the JSON file for localization; the translations will be used to fill template placeholders according to the locale.
 * @property {String} pagesEndpoint The API endpoint for the pages. Default is 'apps'.
- * @property {String} pagesPath The path to the pages directory; this also defines where the static endpoint '/apps' points to. Default is the './public/' directory.
+ * @property {String} pagesPath The path to the pages directory; this also defines where the static endpoint '/apps' points to. Default is the './public/' directory of the parse-server module.
 * @property {Object} placeholders The placeholder keys and values which will be filled in pages; this can be a simple object or a callback function.
 */

@@ -232,6 +232,7 @@

 /**
 * @interface FileUploadOptions
+ * @property {String[]} allowedFileUrlDomains Sets the allowed hostnames for file URLs referenced in Parse objects. When a File object includes a URL, its hostname must match one of these entries to be accepted. Supports exact hostnames (e.g., `'cdn.example.com'`) and wildcard subdomains (e.g., `'*.example.com'`). Use `['*']` to allow any domain. Use `[]` to block all file URLs (only name-based files allowed).
 * @property {Boolean} enableForAnonymousUser Is true if file upload should be allowed for anonymous users.
 * @property {Boolean} enableForAuthenticatedUser Is true if file upload should be allowed for authenticated users.
 * @property {Boolean} enableForPublic Is true if file upload should be allowed for anyone, regardless of user authentication.
--- a/src/Options/index.js
+++ b/src/Options/index.js
@@ -43,6 +43,22 @@ type RequestKeywordDenylist = {
  key: string | any,
  value: any,
 };
+type EmailVerificationRequest = {
+  original?: any,
+  object: any,
+  master?: boolean,
+  ip?: string,
+  installationId?: string,
+  createdWith?: {
+    action: 'login' | 'signup',
+    authProvider: string,
+  },
+  resendRequest?: boolean,
+};
+type SendEmailVerificationRequest = {
+  user: any,
+  master?: boolean,
+};

 export interface ParseServerOptions {
  /* Your Parse Application ID
@@ -174,18 +190,25 @@ export interface ParseServerOptions {
  /* Max file size for uploads, defaults to 20mb
  :DEFAULT: 20mb */
  maxUploadSize: ?string;
-  /* Set to `true` to require users to verify their email address to complete the sign-up process. Supports a function with a return value of `true` or `false` for conditional verification.
+  /* Set to `true` to require users to verify their email address to complete the sign-up process. Supports a function with a return value of `true` or `false` for conditional verification. The function receives a request object that includes `createdWith` to indicate whether the invocation is for `signup` or `login` and the used auth provider.
  <br><br>
+  The `createdWith` values per scenario:
+  <ul><li>Password signup: `{ action: 'signup', authProvider: 'password' }`</li><li>Auth provider signup: `{ action: 'signup', authProvider: '<provider>' }`</li><li>Password login: `{ action: 'login', authProvider: 'password' }`</li><li>Auth provider login: function not invoked; auth provider login bypasses email verification</li><li>Resend verification email: `createdWith` is `undefined`; use the `resendRequest` property to identify those</li></ul>
  Default is `false`.
  :DEFAULT: false */
-  verifyUserEmails: ?(boolean | void);
-  /* Set to `true` to prevent a user from logging in if the email has not yet been verified and email verification is required.
+  verifyUserEmails: ?(boolean | (EmailVerificationRequest => boolean | Promise<boolean>));
+  /* Set to `true` to prevent a user from logging in if the email has not yet been verified and email verification is required. Supports a function with a return value of `true` or `false` for conditional prevention. The function receives a request object that includes `createdWith` to indicate whether the invocation is for `signup` or `login` and the used auth provider.
  <br><br>
+  The `createdWith` values per scenario:
+  <ul><li>Password signup: `{ action: 'signup', authProvider: 'password' }`</li><li>Auth provider signup: `{ action: 'signup', authProvider: '<provider>' }`</li><li>Password login: `{ action: 'login', authProvider: 'password' }`</li><li>Auth provider login: function not invoked; auth provider login bypasses email verification</li></ul>
  Default is `false`.
  <br>
  Requires option `verifyUserEmails: true`.
  :DEFAULT: false */
-  preventLoginWithUnverifiedEmail: ?boolean;
+  preventLoginWithUnverifiedEmail: ?(
+    | boolean
+    | (EmailVerificationRequest => boolean | Promise<boolean>)
+  );
  /* If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.
  <br><br>
  Default is `false`.
@@ -214,7 +237,10 @@ export interface ParseServerOptions {
  Default is `true`.
  <br>
  :DEFAULT: true */
-  sendUserEmailVerification: ?(boolean | void);
+  sendUserEmailVerification: ?(
+    | boolean
+    | (SendEmailVerificationRequest => boolean | Promise<boolean>)
+  );
  /* The account lockout policy for failed login attempts. */
  accountLockout: ?AccountLockoutOptions;
  /* The password policy for enforcing password related rules. */
@@ -411,8 +437,7 @@ export interface PagesOptions {
  /* Is true if responses should always be redirects and never content, false if the response type should depend on the request type (GET request -> content response; POST request -> redirect response).
  :DEFAULT: false */
  forceRedirect: ?boolean;
-  /* The path to the pages directory; this also defines where the static endpoint '/apps' points to. Default is the './public/' directory.
-  :DEFAULT: ./public */
+  /* The path to the pages directory; this also defines where the static endpoint '/apps' points to. Default is the './public/' directory of the parse-server module. */
  pagesPath: ?string;
  /* The API endpoint for the pages. Default is 'apps'.
  :DEFAULT: apps */
@@ -605,6 +630,9 @@ export interface FileUploadOptions {
  /* Is true if file upload should be allowed for anyone, regardless of user authentication.
  :DEFAULT: false */
  enableForPublic: ?boolean;
+  /* Sets the allowed hostnames for file URLs referenced in Parse objects. When a File object includes a URL, its hostname must match one of these entries to be accepted. Supports exact hostnames (e.g., `'cdn.example.com'`) and wildcard subdomains (e.g., `'*.example.com'`). Use `['*']` to allow any domain. Use `[]` to block all file URLs (only name-based files allowed).
+  :DEFAULT: ["*"] */
+  allowedFileUrlDomains: ?(string[]);
 }

 /* The available log levels for Parse Server logging. Valid values are:<br>- `'error'` - Error level (highest priority)<br>- `'warn'` - Warning level<br>- `'info'` - Info level (default)<br>- `'verbose'` - Verbose level<br>- `'debug'` - Debug level<br>- `'silly'` - Silly level (lowest priority) */
--- a/src/Options/parsers.js
+++ b/src/Options/parsers.js
@@ -68,6 +68,13 @@ function booleanParser(opt) {
  return false;
 }

+function booleanOrFunctionParser(opt) {
+  if (typeof opt === 'function') {
+    return opt;
+  }
+  return booleanParser(opt);
+}
+
 function nullParser(opt) {
  if (opt == 'null') {
    return null;
@@ -81,6 +88,7 @@ module.exports = {
  numberOrStringParser,
  nullParser,
  booleanParser,
+  booleanOrFunctionParser,
  moduleOrObjectParser,
  arrayParser,
  objectParser,
--- a/src/ParseServer.ts
+++ b/src/ParseServer.ts
@@ -532,7 +532,7 @@ class ParseServer {
        let url;
        try {
          url = new URL(string);
-        } catch (_) {
+        } catch {
          return false;
        }
        return url.protocol === 'http:' || url.protocol === 'https:';
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -771,6 +771,30 @@ RestWrite.prototype._validateUserName = function () {
    });
 };

+RestWrite.buildCreatedWith = function (action, authProvider) {
+  return { action, authProvider: authProvider || 'password' };
+};
+
+RestWrite.prototype.getCreatedWith = function () {
+  if (this.storage.createdWith) {
+    return this.storage.createdWith;
+  }
+  const isCreateOperation = !this.query;
+  const authDataProvider =
+    this.data?.authData &&
+    Object.keys(this.data.authData).length &&
+    Object.keys(this.data.authData).join(',');
+  const authProvider = this.storage.authProvider || authDataProvider;
+  // storage.authProvider is only set for login (existing user found in handleAuthData)
+  const action = this.storage.authProvider ? 'login' : isCreateOperation ? 'signup' : undefined;
+  if (!action) {
+    return;
+  }
+  const resolvedAuthProvider = authProvider || (action === 'signup' ? 'password' : undefined);
+  this.storage.createdWith = RestWrite.buildCreatedWith(action, resolvedAuthProvider);
+  return this.storage.createdWith;
+};
+
 /*
  As with usernames, Parse should not allow case insensitive collisions of email.
  unlike with usernames (which can have case insensitive collisions in the case of
@@ -826,6 +850,7 @@ RestWrite.prototype._validateEmail = function () {
          master: this.auth.isMaster,
          ip: this.config.ip,
          installationId: this.auth.installationId,
+          createdWith: this.getCreatedWith(),
        };
        return this.config.userController.setEmailVerifyToken(this.data, request, this.storage);
      }
@@ -961,6 +986,7 @@ RestWrite.prototype.createSessionTokenIfNeeded = async function () {
      master: this.auth.isMaster,
      ip: this.config.ip,
      installationId: this.auth.installationId,
+      createdWith: this.getCreatedWith(),
    };
    // Get verification conditions which can be booleans or functions; the purpose of this async/await
    // structure is to avoid unnecessarily executing subsequent functions if previous ones fail in the
@@ -985,14 +1011,14 @@ RestWrite.prototype.createSessionToken = async function () {

  if (this.storage.authProvider == null && this.data.authData) {
    this.storage.authProvider = Object.keys(this.data.authData).join(',');
+    // Invalidate cached createdWith since authProvider was just resolved
+    delete this.storage.createdWith;
  }

+  const createdWith = this.getCreatedWith();
  const { sessionData, createSession } = RestWrite.createSession(this.config, {
    userId: this.objectId(),
-    createdWith: {
-      action: this.storage.authProvider ? 'login' : 'signup',
-      authProvider: this.storage.authProvider || 'password',
-    },
+    createdWith,
    installationId: this.auth.installationId,
  });

--- a/src/Routers/FunctionsRouter.js
+++ b/src/Routers/FunctionsRouter.js
@@ -17,6 +17,10 @@ function parseObject(obj, config) {
  } else if (obj && obj.__type == 'Date') {
    return Object.assign(new Date(obj.iso), obj);
  } else if (obj && obj.__type == 'File') {
+    if (obj.url) {
+      const { validateFileUrl } = require('../FileUrlValidator');
+      validateFileUrl(obj.url, config);
+    }
    return Parse.File.fromJSON(obj);
  } else if (obj && obj.__type == 'Pointer') {
    return Parse.Object.fromJSON({
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -140,11 +140,17 @@ export class UsersRouter extends ClassesRouter {
            throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
          }
          // Create request object for verification functions
+          const authProvider =
+            req.body &&
+            req.body.authData &&
+            Object.keys(req.body.authData).length &&
+            Object.keys(req.body.authData).join(',');
          const request = {
            master: req.auth.isMaster,
            ip: req.config.ip,
            installationId: req.auth.installationId,
            object: Parse.User.fromJSON(Object.assign({ className: '_User' }, user)),
+            createdWith: RestWrite.buildCreatedWith('login', authProvider),
          };

          // If request doesn't use master or maintenance key with ignoring email verification
@@ -290,10 +296,7 @@ export class UsersRouter extends ClassesRouter {

    const { sessionData, createSession } = RestWrite.createSession(req.config, {
      userId: user.objectId,
-      createdWith: {
-        action: 'login',
-        authProvider: 'password',
-      },
+      createdWith: RestWrite.buildCreatedWith('login'),
      installationId: req.info.installationId,
    });

@@ -360,10 +363,7 @@ export class UsersRouter extends ClassesRouter {

    const { sessionData, createSession } = RestWrite.createSession(req.config, {
      userId,
-      createdWith: {
-        action: 'login',
-        authProvider: 'masterkey',
-      },
+      createdWith: RestWrite.buildCreatedWith('login', 'masterkey'),
      installationId: req.info.installationId,
    });

--- a/types/Options/index.d.ts
+++ b/types/Options/index.d.ts
@@ -26,6 +26,22 @@ type RequestKeywordDenylist = {
    key: string;
    value: any;
 };
+export interface EmailVerificationRequest {
+    original?: any;
+    object: any;
+    master?: boolean;
+    ip?: string;
+    installationId?: string;
+    createdWith?: {
+        action: 'login' | 'signup';
+        authProvider: string;
+    };
+    resendRequest?: boolean;
+}
+export interface SendEmailVerificationRequest {
+    user: any;
+    master?: boolean;
+}
 export interface ParseServerOptions {
    appId: string;
    masterKey: (() => void) | string;
@@ -74,12 +90,12 @@ export interface ParseServerOptions {
    auth?: Record<string, AuthAdapter>;
    enableInsecureAuthAdapters?: boolean;
    maxUploadSize?: string;
-    verifyUserEmails?: (boolean | void);
-    preventLoginWithUnverifiedEmail?: boolean;
+    verifyUserEmails?: boolean | ((params: EmailVerificationRequest) => boolean | Promise<boolean>);
+    preventLoginWithUnverifiedEmail?: boolean | ((params: EmailVerificationRequest) => boolean | Promise<boolean>);
    preventSignupWithUnverifiedEmail?: boolean;
    emailVerifyTokenValidityDuration?: number;
    emailVerifyTokenReuseIfValid?: boolean;
-    sendUserEmailVerification?: (boolean | void);
+    sendUserEmailVerification?: boolean | ((params: SendEmailVerificationRequest) => boolean | Promise<boolean>);
    accountLockout?: AccountLockoutOptions;
    passwordPolicy?: PasswordPolicyOptions;
    cacheAdapter?: Adapter<CacheAdapter>;
@@ -220,6 +236,7 @@ export interface PasswordPolicyOptions {
    resetPasswordSuccessOnInvalidEmail?: boolean;
 }
 export interface FileUploadOptions {
+    allowedFileUrlDomains?: string[];
    fileExtensions?: (string[]);
    enableForAnonymousUser?: boolean;
    enableForAuthenticatedUser?: boolean;
Author	SHA1	Message	Date
semantic-release-bot	96b8c627d7	chore(release): 9.3.0-alpha.3 [skip ci] # [9.3.0-alpha.3](https://github.com/parse-community/parse-server/compare/9.3.0-alpha.2...9.3.0-alpha.3) (2026-02-07) ### Features * Add `Parse.File.url` validation with config `fileUpload.allowedFileUrlDomains` against SSRF attacks ([#10044](https://github.com/parse-community/parse-server/issues/10044)) ([`4c9c948`](`4c9c9489f0`))	2026-02-07 17:04:27 +00:00
Manuel	4c9c9489f0	feat: Add `Parse.File.url` validation with config `fileUpload.allowedFileUrlDomains` against SSRF attacks (#10044 )	2026-02-07 17:03:39 +00:00
Manuel	9e07ca6d3b	refactor: Bump prettier from 2.0.5 to 3.8.1 (#10042 )	2026-02-07 01:11:09 +00:00
dependabot[bot]	558e1a3204	refactor: Bump @semantic-release/release-notes-generator from 14.0.3 to 14.1.0 (#10038 )	2026-02-06 16:42:52 +00:00
semantic-release-bot	97de70a017	chore(release): 9.3.0-alpha.2 [skip ci] # [9.3.0-alpha.2](https://github.com/parse-community/parse-server/compare/9.3.0-alpha.1...9.3.0-alpha.2) (2026-02-06) ### Bug Fixes * Default HTML pages for password reset, email verification not found ([#10041](https://github.com/parse-community/parse-server/issues/10041)) ([`a4265bb`](`a4265bb124`))	2026-02-06 16:31:03 +00:00
Manuel	a4265bb124	fix: Default HTML pages for password reset, email verification not found (#10041 )	2026-02-06 16:30:13 +00:00
dependabot[bot]	c1f1800cad	refactor: Bump commander from 14.0.2 to 14.0.3 (#10039 )	2026-02-06 15:19:51 +00:00
semantic-release-bot	27b27a7f5c	chore(release): 9.3.0-alpha.1 [skip ci] # [9.3.0-alpha.1](https://github.com/parse-community/parse-server/compare/9.2.1-alpha.2...9.3.0-alpha.1) (2026-02-06) ### Features * Add event information to `verifyUserEmails`, `preventLoginWithUnverifiedEmail` to identify invoking signup / login action and auth provider ([#9963](https://github.com/parse-community/parse-server/issues/9963)) ([`ed98c15`](`ed98c15f90`))	2026-02-06 03:49:32 +00:00
Palixir	ed98c15f90	feat: Add event information to `verifyUserEmails`, `preventLoginWithUnverifiedEmail` to identify invoking signup / login action and auth provider (#9963 )	2026-02-06 03:48:35 +00:00