Parse Server, MFA Token Bypass, GitHub Advisory (Low)

Listen to this Post

The vulnerability arises from a race condition in Parse Server’s `authData` login endpoint. When a user possesses a valid authentication provider token (e.g., from Facebook or Google) and a single MFA recovery code or SMS one-time password, the server’s original logic did not enforce atomicity during session creation. An attacker can initiate multiple concurrent login requests using the same MFA token before the server marks it as used. In the absence of optimistic locking, each concurrent request reads the user record with the MFA token still marked as valid, allowing the server to generate separate authenticated sessions for each request. This bypasses the single-use guarantee of MFA recovery codes and SMS OTPs. The fix implements optimistic locking on the user record during the authData login flow. Now, when multiple concurrent requests attempt to update the same user document, only the first succeeds; subsequent requests detect a version conflict (e.g., via a MongoDB `__v` field or equivalent) and fail, preserving the MFA token’s single-use constraint.

dailycve form is:

Platform: Parse Server
Version: <9.7.0-alpha.8, <8.6.64
Vulnerability : MFA Bypass Concurrent
Severity: Low
date: Mar 29 2026

Prediction: Already patched

Analytics under heading What Undercode Say:

Check user record version conflicts in MongoDB
db.User.find({ _id: userId }, { __v: 1, mfaTokens: 1 })
Simulate concurrent authData login attempts
for i in {1..5}; do
curl -X POST https://parse-server.example.com/login \
-H "Content-Type: application/json" \
-d '{"authData":{"facebook":{"id":"token"}},"mfaCode":"recovery123"}' &
done

Exploit:

An attacker with a stolen authData token and a single MFA code sends multiple simultaneous POST requests to `/login` before the server marks the code used, obtaining multiple valid session tokens.

Protection from this CVE

Upgrade to Parse Server 8.6.64 or 9.7.0-alpha.8. Ensure optimistic locking is enabled in your database adapter.

Impact:

An attacker can create persistent sessions even after a user revokes compromised sessions, undermining MFA’s single-use recovery mechanism.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top