Parse Server, Improper Resource Expiration, CVE-2026-31875 (High)

Listen to this Post

Parse Server versions prior to 8.6.33 and 9.6.0-alpha.7 contain a vulnerability in the Multi-Factor Authentication (MFA) implementation. When MFA via TOTP is enabled, the system generates two single-use recovery codes as a fallback for users who cannot provide a TOTP token. Due to improper resource expiration (CWE-672), these recovery codes are not consumed after successful use. The codes remain valid indefinitely, allowing an attacker who obtains a single recovery code to repeatedly authenticate as the affected user without the code ever being invalidated. This completely defeats the single-use security design of recovery codes and weakens MFA-protected accounts. The vulnerability exists because the server fails to remove the recovery code from the stored list after validating it during login. An attacker with network access who possesses a valid recovery code can exploit this flaw to gain persistent unauthorized access to the victim’s account .

DailyCVE Form:

Platform: Parse Server
Version: <8.6.33, <9.6.0-alpha.7
Vulnerability: MFA recovery reuse
Severity: High
Date: March 11, 2026

Prediction: Patched versions already released

What Undercode Say:

Analytics:

  • Affected Component: MFA TOTP recovery code handling
  • Attack Vector: Network-based authentication using valid recovery code
  • CWE Classification: CWE-672 (Operation on Resource after Expiration)
  • CVSS Score: 8.2 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
  • Fix Implementation: Code removal from storage after single use

Commands:

Check Parse Server Version:

npm list parse-server
or for globally installed
npm list -g parse-server

Upgrade to Patched Version:

Upgrade to latest patched version
npm install [email protected]
or for alpha version users
npm install [email protected]

Verify MFA Configuration:

Check MongoDB for MFA recovery codes (example query)
mongo your_parse_db --eval "db._User.find({'authData.mfa.recoveryCodes': {\$exists: true}}).count()"

Monitor for Multiple Uses:

Check logs for repeated recovery code usage (pseudocode)
grep "mfa.recovery.code.used" /var/log/parse-server.log | awk '{print $1,$2,$7}' | sort | uniq -c

Exploit:

Exploit Scenario:

  1. Attacker obtains a single MFA recovery code through phishing, data breach, or interception
  2. Attacker authenticates using the code: `POST /login` with `{ “username”: “victim”, “mfaRecoveryCode”: “XXXXX-XXXXX” }`
    3. Server validates the code but fails to remove it from storage
  3. Attacker can reuse the same code indefinitely for persistent access

Proof of Concept Flow:

// Step 1: First login with recovery code (valid)
POST /parse/login
{
"username": "[email protected]",
"mfaRecoveryCode": "ABCDE-FGHIJ"
}
// Response: 200 OK with session token
// Step 2: Logout and login again with SAME code
POST /parse/login
{
"username": "[email protected]",
"mfaRecoveryCode": "ABCDE-FGHIJ" // Same code works again
}
// Response: 200 OK - Vulnerability confirmed

Protection:

1. Immediate Patching:

// Update to patched version in package.json
{
"dependencies": {
"parse-server": "8.6.33" // or 9.6.0-alpha.7
}
}

2. Verify Patch Implementation:

// After patching, code is consumed after use
async function verifyRecoveryCode(user, submittedCode) {
const storedCodes = user.get('mfa').recoveryCodes;
const index = storedCodes.indexOf(submittedCode);
if (index > -1) {
// FIX: Remove the code after validation
storedCodes.splice(index, 1);
user.set('mfa.recoveryCodes', storedCodes);
await user.save(null, { useMasterKey: true });
return true;
}
return false;
}

3. Audit Existing Users:

// Force recovery code rotation for all MFA users
Parse.Cloud.job("rotateRecoveryCodes", async (request) => {
const query = new Parse.Query(Parse.User);
query.exists("mfa.recoveryCodes");
const users = await query.find({ useMasterKey: true });
for (const user of users) {
// Generate new recovery codes
const newCodes = generateRecoveryCodes();
user.set("mfa.recoveryCodes", newCodes);
await user.save(null, { useMasterKey: true });
// Notify user of code rotation
await sendNotification(user, "Your MFA recovery codes have been rotated");
}
});

4. Detection Rule (Splunk/ELK):

index=parse-server sourcetype=parse_logs "mfa_recovery_code_used"
| stats count by username, code_hash
| where count > 1
| table _time, username, count

Impact:

  • Account Compromise: Single stolen recovery code grants unlimited persistent access
  • MFA Bypass: Defeats the security purpose of multi-factor authentication
  • Privilege Escalation: Enables lateral movement if compromised account has elevated privileges
  • Data Breach Risk: Unauthorized access to sensitive user data stored in Parse Server
  • Compliance Violation: Breaches security controls required by regulations (GDPR, HIPAA, PCI-DSS)
  • Business Impact: Application data integrity compromised, user trust eroded
  • Recovery Difficulty: Requires manual rotation of all recovery codes and user notification

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top