Parse Server Race Condition Vulnerability in MFA SMS OTP Login Allowing Token Duplication

A race condition vulnerability has been identified in Parse Server versions prior to 8.6.76 and 9.9.0-alpha.2. This vulnerability occurs in the Multi-Factor Authentication (MFA) SMS one-time password (OTP) login process, where two simultaneous login requests using the same OTP can both succeed. As a result, both requests receive valid session tokens, undermining the OTP's intended single-use functionality. Exploitation of this vulnerability requires the attacker to have the victim's password and to intercept the active SMS OTP, for example through SIM swapping, network mirroring, or phishing. The attacker must then race against the legitimate login request, making the practical exploitation window quite narrow.

Impact

Exploitation of this vulnerability allows for a race condition where two concurrent login requests with the same OTP can both be processed successfully, leading to the issuance of multiple valid session tokens. This breaks the intended single-use requirement of the OTP, potentially allowing unauthorized access to a user's account.

Remediation

Users can update to Parse Server versions 8.6.76 or 9.9.0-alpha.2, where this vulnerability has been fixed. Alternatively, users can disable SMS MFA and switch to Time-based One-Time Password (TOTP) authentication, which is validated within a time window rather than being stored as a single-use token. Another option is to implement a rate limiter on the login endpoint to reduce the capacity for concurrent login requests.