Parse Server
Moderate fix2 remedies
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 9.0.0, < 9.7.0-alpha.7
- < 8.6.63
Parse Server Authentication Data Exposure Vulnerability via Verify Password Endpoint
Vulnerability
Patched
A vulnerability exists in Parse Server versions prior to 8.6.63 and 9.7.0-alpha.7, where the verify password endpoint discloses unsanitized authentication data. This includes multi-factor authentication (MFA) TOTP secrets, recovery codes, and OAuth access tokens. An attacker with knowledge of a user's password can exploit this to extract the MFA secret, generate valid MFA codes, and bypass multi-factor authentication protections.
Impact
Exploitation of this vulnerability allows for unauthorized access to MFA secrets, enabling attackers to generate valid MFA codes and defeat multi-factor authentication measures.
Reproduction
To reproduce this vulnerability, a user must send a request to the verify password endpoint with a valid password for an account. The response will include raw authentication data such as MFA TOTP secrets and recovery codes, which can be extracted and used to bypass MFA protections.
Remediation
Users can upgrade to Parse Server versions 8.6.63 or 9.7.0-alpha.7, where this vulnerability has been patched.
Added: Mar 31, 2026, 8:29 PM
Updated: Mar 31, 2026, 8:29 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
2.5exploitability
6.0remediation
7.7relevance
5.0threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.