Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 18abdd9
Author: Manuel
Date: 2026-03-10T04:22:17Z
Commit Message
fix: MFA recovery codes not consumed after use ([GHSA-4hf6-3x24-c9m8](https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8)) (#10170)
Pull Request
PR: #10170 - fix: MFA recovery codes not consumed after use (GHSA-4hf6-3x24-c9m8)
Labels: state:released-alpha
Description:
Pull Request
Issue
MFA recovery codes not consumed after use ([GHSA-4hf6-3x24-c9m8](GHSA-4hf6-3x24-c9m8))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -->
Analysis
Vulnerability Type: Authentication Bypass / MFA Recovery Code Replay
Severity: High
Description
Before the patch, multi-factor authentication (MFA) recovery codes were not consumed after use, allowing an attacker with knowledge of a recovery code to reuse it multiple times to bypass MFA protection. The patch fixes this by marking recovery codes as single-use, removing them from the valid recovery code list upon first successful use.
Affected Code
if (recovery[0] === token || recovery[1] === token) {
return saveResponse;
}
Proof of Concept
1. Sign up and enroll MFA for a user validly generating recovery codes.
2. Use one valid recovery code to authenticate MFA successfully once.
3. Reuse the same recovery code for a second authentication attempt.
Expected behavior before patch: Both attempts succeed, allowing unlimited MFA bypass with a stolen recovery code.
Expected behavior after patch: Second attempt fails with 'Invalid MFA token', showing that reuse is blocked.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T06:00:50.912Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 18abdd9
Author: Manuel
Date: 2026-03-10T04:22:17Z
Commit Message
Pull Request
PR: #10170 - fix: MFA recovery codes not consumed after use (GHSA-4hf6-3x24-c9m8)
Labels: state:released-alpha
Description:
Pull Request
Issue
MFA recovery codes not consumed after use ([GHSA-4hf6-3x24-c9m8](GHSA-4hf6-3x24-c9m8))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -->
Analysis
Vulnerability Type: Authentication Bypass / MFA Recovery Code Replay
Severity: High
Description
Before the patch, multi-factor authentication (MFA) recovery codes were not consumed after use, allowing an attacker with knowledge of a recovery code to reuse it multiple times to bypass MFA protection. The patch fixes this by marking recovery codes as single-use, removing them from the valid recovery code list upon first successful use.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T06:00:50.912Z