Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 84db0a0
Author: Manuel
Date: 2026-03-16T02:59:21Z
Commit Message
fix: Password reset token single-use bypass via concurrent requests ([GHSA-r3xq-68wh-gwvh](https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh)) (#10216)
Pull Request
PR: #10216 - fix: Password reset token single-use bypass via concurrent requests (GHSA-r3xq-68wh-gwvh)
Labels: state:released-alpha
Description:
Issue
Password reset token single-use bypass via concurrent requests ([GHSA-r3xq-68wh-gwvh](GHSA-r3xq-68wh-gwvh))
Analysis
Vulnerability Type: Race Condition / Token Replay
Severity: High
Description
The vulnerability allowed an attacker to reuse a single password reset token multiple times via concurrent requests, bypassing the intended single-use guarantee of reset tokens. This allowed resetting a user's password multiple times and potentially taking over the account. The patch introduces verification that the perishable token is consumed atomically and rejects concurrent resets using the same token, preventing token replay attacks.
Affected Code
function updateUserPassword(user, password, config) {
return update(config, Auth.master(config), '_User',
{ objectId: user.objectId },
{ password: password }
);
}
Proof of Concept
1. Initiate a password reset request for user '[email protected]' to obtain a valid reset token.
2. Extract the reset token from the database.
3. Submit two concurrent POST requests to the password reset endpoint with the same token but different new passwords:
- POST /request_password_reset { token=<reset_token>&new_password=PasswordA1! }
- POST /request_password_reset { token=<reset_token>&new_password=PasswordB1! }
4. Before the patch, both requests would succeed, allowing the attacker to reset the password twice and choose the final password.
5. After the patch, exactly one request succeeds, the second fails with 'token invalid' error, preventing token replay.
This allows attackers to bypass the intended single-use property of reset tokens and fully control the account password via a race condition.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-16T06:01:01.222Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 84db0a0
Author: Manuel
Date: 2026-03-16T02:59:21Z
Commit Message
Pull Request
PR: #10216 - fix: Password reset token single-use bypass via concurrent requests (GHSA-r3xq-68wh-gwvh)
Labels: state:released-alpha
Description:
Issue
Password reset token single-use bypass via concurrent requests ([GHSA-r3xq-68wh-gwvh](GHSA-r3xq-68wh-gwvh))
Analysis
Vulnerability Type: Race Condition / Token Replay
Severity: High
Description
The vulnerability allowed an attacker to reuse a single password reset token multiple times via concurrent requests, bypassing the intended single-use guarantee of reset tokens. This allowed resetting a user's password multiple times and potentially taking over the account. The patch introduces verification that the perishable token is consumed atomically and rejects concurrent resets using the same token, preventing token replay attacks.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-16T06:01:01.222Z