Listen to this Post
Parse Server is an open-source backend that can be deployed to any infrastructure capable of running Node.js. In versions from 9.8.0 up to (but not including) 9.9.1-alpha.5, a vulnerability exists in applications that enable Multi-Factor Authentication (MFA) while simultaneously denying `get` operations on the `_User` class via Class-Level Permissions (CLP).
The flaw resides in the authentication flow of the `/login` and `/verifyPassword` endpoints. Normally, these endpoints re-fetch the user’s data through an access-controlled query pipeline that enforces CLP, protectedFields, and auth-adapter sanitizers before responding. However, when this re-fetch is denied by the `_User` get permission, the server incorrectly falls back to returning the raw database row.
This fallback behavior bypasses all security controls, exposing sensitive information that should have been filtered out. The exposed data includes raw `authData` such as MFA TOTP secrets and recovery codes, as well as fields hidden by `protectedFields` (when `protectedFieldsOwnerExempt` is false).
The `/verifyPassword` endpoint presents the most severe risk. An attacker who knows a victim’s username and password can call this endpoint without a session or MFA token. The server will then return the victim’s MFA secret and recovery codes, allowing the attacker to generate valid TOTP codes and completely defeat the second factor of authentication.
Parse Server versions 8.x and earlier are not affected by this issue. Furthermore, requests made with a master key or maintenance key are unaffected, as they bypass these access controls by design.
The vulnerability has been patched in version 9.9.1-alpha.5.
DailyCVE Form
Platform: Parse Server
Version: 9.8.0 – 9.9.1-alpha.5
Vulnerability: Information Disclosure
Severity: Medium (CVSS 5.9)
date: 2026-06-12
Prediction: 2026-06-19
What Undercode Say
Check Parse Server version
npm list parse-server
Verify if MFA is enabled and _User GET is denied
(Check your Parse Server configuration and CLP settings)
Test for vulnerability (ethical testing only)
Attempt to call /verifyPassword with a known user's credentials
curl -X POST http://your-parse-server.com/verifyPassword \
-H "Content-Type: application/json" \
-d '{"username":"victim_username","password":"victim_password"}'
If vulnerable, the response will contain sensitive authData
A patched server will only return the user's identity
Exploit
An attacker can exploit this vulnerability by sending a POST request to the `/verifyPassword` endpoint with a valid username and password. Because the server falls back to the raw database row when the re-fetch is denied, the response will contain the full user object, including the raw `authData` field. This `authData` contains the MFA TOTP secret and recovery codes. With this secret, the attacker can generate valid time-based one-time passwords (TOTP) and bypass the MFA protection entirely. The attack requires no special privileges and can be performed over the network.
Protection
The only effective protection against this vulnerability is to upgrade Parse Server to version 9.9.1-alpha.5 or later. No workarounds exist that preserve the intended `_User` get restriction. The patch ensures that when a re-fetch is denied, the `/login` and `/verifyPassword` endpoints no longer fall back to the raw database row; they instead return only the user’s identity (and the session token for /login). Master and maintenance key callers will still receive the full record as intended.
Impact
- Confidentiality: High impact. An attacker can obtain sensitive authentication data, including MFA TOTP secrets, recovery codes, and other protected fields.
- Integrity: No impact.
- Availability: No impact.
- MFA Bypass: The most critical impact is the complete defeat of multi-factor authentication. An attacker with only a username and password can retrieve the MFA secret and generate valid TOTP codes, effectively neutralizing the second factor of authentication.
- Affected Systems: Any Parse Server instance from version 9.8.0 to 9.9.1-alpha.5 that has MFA enabled and denies `get` on the `_User` class via CLP.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
