Parse Server Multi-Factor Authentication Recovery Code Vulnerability Allowing Unlimited Reuse

A vulnerability exists in Parse Server versions 9.0.0 prior to 9.6.0-alpha.7 and versions prior to 8.6.33, related to the handling of recovery codes for multi-factor authentication (MFA) via TOTP. When MFA is enabled, Parse Server generates two single-use recovery codes for each user account. These codes are meant to be used when a TOTP token is unavailable. However, the recovery codes are not invalidated after use, allowing them to be reused indefinitely. This flaw undermines the intended single-use nature of the codes and compromises the security of MFA-protected accounts. An attacker who acquires a recovery code can repeatedly authenticate as the user without the code ever being deactivated.

Impact

The vulnerability allows for repeated authentication using the same recovery code, bypassing the single-use requirement and weakening the security of MFA-protected accounts.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.7 or 8.6.33, both of which include the necessary fix. Instructions for downloading these versions are available on the Parse Server GitHub Releases page.