Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.

N/A

检查时间与使用时间(TOCTOU)的竞争条件

Parse Server 安全漏洞

Parse Server是Parse Platform开源的一个开源后端，可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 8.6.60之前版本和9.6.0-alpha.54之前版本存在安全漏洞，该漏洞源于并发登录请求可无限次重用MFA恢复代码，可能导致绕过单次使用限制。

N/A

N/A