Listen to this Post
The vulnerability stems from Parse Server’s built-in OAuth2 adapter exporting a singleton instance that is reused across all configured OAuth2 providers . This shared mutable state leads to a race condition (CWE-362) during concurrent authentication requests . When multiple users attempt to log in with different OAuth2 providers simultaneously, the server may use the configuration of one provider (e.g., Google) to validate the token of another provider (e.g., Facebook) . Consequently, a valid token for Provider A could be accepted by the server as a valid token for Provider B if the validation logic cross-wires due to the singleton instance . This allows an attacker to potentially authenticate using credentials that should have been rejected by the intended provider’s policy, effectively bypassing provider-specific security rules . The fix involves creating a new, isolated adapter instance for each provider configuration rather than reusing the single shared instance .
DailyCVE Form:
Platform: Parse Server
Version: <8.6.37, 9.0.0-9.6.0-alpha.10
Vulnerability : Singleton Race Condition
Severity: Critical (CVSS:4.0 9.1)
Date: 2026-03-12
Prediction: Already Patched
What Undercode Say:
Analytics:
The vulnerability is caused by improper synchronization of a shared resource (CWE-362). The singleton instance of the OAuth2 adapter retains state across multiple provider configurations. Under high concurrency, the execution context for token validation can switch, leading to a provider mismatch. The CVSS 4.0 score of 9.1 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) reflects a high impact on confidentiality and integrity with low attack complexity once the race condition is won .
Exploit:
Successful exploitation requires sending concurrent authentication requests for two different OAuth2 providers. The attacker submits a valid token for a provider they control (e.g., Provider A) while initiating a login flow for a target provider (e.g., Provider B). If the race condition is triggered, the token for Provider A is validated using Provider B’s configuration and policies, granting the attacker access with the identity of a user from Provider B.
Protection from this CVE:
- Immediate Update: Upgrade to patched versions `8.6.37` or `9.6.0-alpha.11` or later .
- Configuration Review: If using multiple OAuth2 providers via the `oauth2: true` flag, ensure the update is applied immediately.
- Workaround: If an immediate update is not possible, reduce the attack surface by configuring only one OAuth2 provider, as the race condition cannot occur in this scenario .
Impact:
Authentication Bypass. An attacker can log in as a user from a different OAuth2 provider than the one they have credentials for, bypassing the specific security policies and trust relationships established for that provider. This undermines the entire authentication mechanism for multi-provider setups.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

