Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 5e70094
Author: Manuel
Date: 2026-03-22T01:59:48Z
Commit Message
fix: MFA recovery code single-use bypass via concurrent requests ([GHSA-2299-ghjr-6vjp](https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp)) (#10275)
Pull Request
PR: #10275 - fix: MFA recovery code single-use bypass via concurrent requests (GHSA-2299-ghjr-6vjp)
Labels: state:released-alpha
Description:
Issue
MFA recovery code single-use bypass via concurrent requests ([GHSA-2299-ghjr-6vjp](GHSA-2299-ghjr-6vjp))
Analysis
Vulnerability Type: Authentication Bypass
Severity: High
Description
The code before the patch allowed multiple concurrent login requests to use the same MFA recovery code, bypassing the intended single-use restriction. This enabled attackers to reuse a single recovery code multiple times by sending concurrent requests, effectively bypassing the MFA recovery code's single-use protection and compromising account security. The patch introduces optimistic locking to prevent concurrent updates from both succeeding and adds logic to reject concurrent login attempts using the same recovery code.
Affected Code
await req.config.database.update(
'_User',
{ objectId: user.objectId },
{ authData: validatedAuthData },
{}
);
Proof of Concept
1. Setup a user with MFA and a valid recovery code.
2. Send multiple (e.g., 10) concurrent POST requests to the /1/login endpoint using the same recovery code in the authData.mfa.token field.
3. Before the patch, all 10 requests will succeed, allowing repeated reuse of a single recovery code.
Example HTTP request body:
{
"username": "mfauser",
"password": "password123",
"authData": { "mfa": { "token": "<valid_recovery_code>" } }
}
When sending these concurrent requests, all would authenticate successfully before the patch, bypassing single-use enforcement.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-22T06:00:40.930Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 5e70094
Author: Manuel
Date: 2026-03-22T01:59:48Z
Commit Message
Pull Request
PR: #10275 - fix: MFA recovery code single-use bypass via concurrent requests (GHSA-2299-ghjr-6vjp)
Labels: state:released-alpha
Description:
Issue
MFA recovery code single-use bypass via concurrent requests ([GHSA-2299-ghjr-6vjp](GHSA-2299-ghjr-6vjp))
Analysis
Vulnerability Type: Authentication Bypass
Severity: High
Description
The code before the patch allowed multiple concurrent login requests to use the same MFA recovery code, bypassing the intended single-use restriction. This enabled attackers to reuse a single recovery code multiple times by sending concurrent requests, effectively bypassing the MFA recovery code's single-use protection and compromising account security. The patch introduces optimistic locking to prevent concurrent updates from both succeeding and adds logic to reject concurrent login attempts using the same recovery code.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-22T06:00:40.930Z