Описание
Parse Server: MFA recovery code single-use bypass via concurrent requests
Impact
An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds.
Patches
The login handler now uses optimistic locking when updating auth data that contains consumed single-use tokens. If a concurrent request has already modified the recovery array, the update fails and the login is rejected.
Workarounds
There are no known workarounds.
Пакеты
parse-server
>= 9.0.0, < 9.6.0-alpha.54
9.6.0-alpha.54
parse-server
< 8.6.60
8.6.60