Listen to this Post
Parse Server versions prior to 8.6.33 and 9.6.0-alpha.7 contain a vulnerability in the Multi-Factor Authentication (MFA) implementation. When MFA via TOTP is enabled, the system generates two single-use recovery codes as a fallback for users who cannot provide a TOTP token. Due to improper resource expiration (CWE-672), these recovery codes are not consumed after successful use. The codes remain valid indefinitely, allowing an attacker who obtains a single recovery code to repeatedly authenticate as the affected user without the code ever being invalidated. This completely defeats the single-use security design of recovery codes and weakens MFA-protected accounts. The vulnerability exists because the server fails to remove the recovery code from the stored list after validating it during login. An attacker with network access who possesses a valid recovery code can exploit this flaw to gain persistent unauthorized access to the victim’s account .
DailyCVE Form:
Platform: Parse Server
Version: <8.6.33, <9.6.0-alpha.7
Vulnerability: MFA recovery reuse
Severity: High
Date: March 11, 2026
Prediction: Patched versions already released
What Undercode Say:
Analytics:
- Affected Component: MFA TOTP recovery code handling
- Attack Vector: Network-based authentication using valid recovery code
- CWE Classification: CWE-672 (Operation on Resource after Expiration)
- CVSS Score: 8.2 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
- Fix Implementation: Code removal from storage after single use
Commands:
Check Parse Server Version:
npm list parse-server or for globally installed npm list -g parse-server
Upgrade to Patched Version:
Upgrade to latest patched version npm install [email protected] or for alpha version users npm install [email protected]
Verify MFA Configuration:
Check MongoDB for MFA recovery codes (example query)
mongo your_parse_db --eval "db._User.find({'authData.mfa.recoveryCodes': {\$exists: true}}).count()"
Monitor for Multiple Uses:
Check logs for repeated recovery code usage (pseudocode)
grep "mfa.recovery.code.used" /var/log/parse-server.log | awk '{print $1,$2,$7}' | sort | uniq -c
Exploit:
Exploit Scenario:
- Attacker obtains a single MFA recovery code through phishing, data breach, or interception
- Attacker authenticates using the code: `POST /login` with `{ “username”: “victim”, “mfaRecoveryCode”: “XXXXX-XXXXX” }`
3. Server validates the code but fails to remove it from storage - Attacker can reuse the same code indefinitely for persistent access
Proof of Concept Flow:
// Step 1: First login with recovery code (valid)
POST /parse/login
{
"username": "[email protected]",
"mfaRecoveryCode": "ABCDE-FGHIJ"
}
// Response: 200 OK with session token
// Step 2: Logout and login again with SAME code
POST /parse/login
{
"username": "[email protected]",
"mfaRecoveryCode": "ABCDE-FGHIJ" // Same code works again
}
// Response: 200 OK - Vulnerability confirmed
Protection:
1. Immediate Patching:
// Update to patched version in package.json
{
"dependencies": {
"parse-server": "8.6.33" // or 9.6.0-alpha.7
}
}
2. Verify Patch Implementation:
// After patching, code is consumed after use
async function verifyRecoveryCode(user, submittedCode) {
const storedCodes = user.get('mfa').recoveryCodes;
const index = storedCodes.indexOf(submittedCode);
if (index > -1) {
// FIX: Remove the code after validation
storedCodes.splice(index, 1);
user.set('mfa.recoveryCodes', storedCodes);
await user.save(null, { useMasterKey: true });
return true;
}
return false;
}
3. Audit Existing Users:
// Force recovery code rotation for all MFA users
Parse.Cloud.job("rotateRecoveryCodes", async (request) => {
const query = new Parse.Query(Parse.User);
query.exists("mfa.recoveryCodes");
const users = await query.find({ useMasterKey: true });
for (const user of users) {
// Generate new recovery codes
const newCodes = generateRecoveryCodes();
user.set("mfa.recoveryCodes", newCodes);
await user.save(null, { useMasterKey: true });
// Notify user of code rotation
await sendNotification(user, "Your MFA recovery codes have been rotated");
}
});
4. Detection Rule (Splunk/ELK):
index=parse-server sourcetype=parse_logs "mfa_recovery_code_used" | stats count by username, code_hash | where count > 1 | table _time, username, count
Impact:
- Account Compromise: Single stolen recovery code grants unlimited persistent access
- MFA Bypass: Defeats the security purpose of multi-factor authentication
- Privilege Escalation: Enables lateral movement if compromised account has elevated privileges
- Data Breach Risk: Unauthorized access to sensitive user data stored in Parse Server
- Compliance Violation: Breaches security controls required by regulations (GDPR, HIPAA, PCI-DSS)
- Business Impact: Application data integrity compromised, user trust eroded
- Recovery Difficulty: Requires manual rotation of all recovery codes and user notification
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

