Parse Server Login Timing Vulnerability Allows User Enumeration

A timing-based vulnerability has been identified in Parse Server, an open-source backend framework that runs on Node.js. This issue affects versions 9.0.0 prior to 9.8.0-alpha.6 and versions prior to 8.6.74. The vulnerability arises because the login endpoint's response time varies significantly based on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. However, if a user exists but the password is incorrect, the server introduces a delay by performing a bcrypt comparison first. This discrepancy in response times enables an unauthenticated attacker to systematically identify valid usernames or email addresses.

Impact

Exploitation of this vulnerability allows for automated enumeration of valid usernames or email addresses through the login endpoint, increasing the risk of targeted attacks such as password guessing or phishing.

Remediation

Users can update to Parse Server versions 9.8.0-alpha.6 or 8.6.74, where this vulnerability has been patched. The update normalizes response timing by introducing a dummy bcrypt comparison when no user is found, preventing the timing difference that could be exploited. For those using Parse Server 9, the fix is available in the alpha branch, while Parse Server 8 users can find the patch in the release-8.x.x branch.