Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: fbda4cb
Author: Manuel
Date: 2026-03-19T02:09:59Z
Commit Message
fix: Email verification resend page leaks user existence (GHSA-h29g-q5c2-9h4f) (#10238)
Pull Request
PR: #10238 - fix: Email verification resend page leaks user existence (GHSA-h29g-q5c2-9h4f)
Labels: state:released-alpha
Description:
Issue
Email verification resend page leaks user existence ([GHSA-h29g-q5c2-9h4f](GHSA-h29g-q5c2-9h4f))
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
-
New Features
- Added a configuration option to control email verification redirect behavior on invalid/non-existent user accounts, enhancing security by preventing user enumeration attacks.
-
Tests
Analysis
Vulnerability Type: User Enumeration
Severity: Medium
Description
The email verification resend endpoint before the patch leaked information about whether a user exists or not, by redirecting to different pages depending on the existence of the username. This allowed an attacker to probe for valid usernames via the resend verification email functionality, facilitating user enumeration attacks. The patch adds a configuration to unify the response (always redirecting to a success page), suppressing this information leak and preventing username enumeration.
Affected Code
return userController.resendVerificationEmail(username, req, token).then(
() => {
return this.goToPage(req, pages.emailVerificationSendSuccess);
},
() => {
return this.goToPage(req, pages.emailVerificationSendFail);
}
);
Proof of Concept
Send two POST requests to the /resend_verification_email endpoint:
1. For an existing user:
curl -X POST -d 'username=realuser' http://server/apps/appId/resend_verification_email -i
-> Returns HTTP 303 redirect to 'email_verification_send_success' page
2. For a non-existing user:
curl -X POST -d 'username=fakeuser' http://server/apps/appId/resend_verification_email -i
-> Returns HTTP 303 redirect to 'email_verification_send_fail' page
An attacker can distinguish valid users from invalid ones by the different redirect locations, enabling user enumeration.
After the patch, both requests respond with a redirect to the success page, preventing this distinction.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-19T06:01:08.920Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: fbda4cb
Author: Manuel
Date: 2026-03-19T02:09:59Z
Commit Message
Pull Request
PR: #10238 - fix: Email verification resend page leaks user existence (GHSA-h29g-q5c2-9h4f)
Labels: state:released-alpha
Description:
Issue
Email verification resend page leaks user existence ([GHSA-h29g-q5c2-9h4f](GHSA-h29g-q5c2-9h4f))
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
New Features
Tests
Analysis
Vulnerability Type: User Enumeration
Severity: Medium
Description
The email verification resend endpoint before the patch leaked information about whether a user exists or not, by redirecting to different pages depending on the existence of the username. This allowed an attacker to probe for valid usernames via the resend verification email functionality, facilitating user enumeration attacks. The patch adds a configuration to unify the response (always redirecting to a success page), suppressing this information leak and preventing username enumeration.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-19T06:01:08.920Z