logo

Database

Race condition In parse-server

Description

Parse Server: MFA recovery code single-use bypass via concurrent requests

Impact

An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds.

Patches

The login handler now uses optimistic locking when updating auth data that contains consumed single-use tokens. If a concurrent request has already modified the recovery array, the update fails and the login is rejected.

Workarounds

There are no known workarounds.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-336242. NVD-2026-336243. OSV-2026-336244. GHSA-2299-ghjr-6vjp5. GCVE-2026-33624

References

1. https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp2. https://github.com/parse-community/parse-server/pull/102753. https://github.com/parse-community/parse-server/pull/10276

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.