Parse Server is an open-source backend framework that supports multi-factor authentication (MFA) via Time-based One-Time Passwords (TOTP). In affected versions prior to 9.6.0-alpha.7 and 8.6.33, the system generates two single-use recovery codes per user as a fallback mechanism when TOTP tokens are unavailable. These recovery codes are designed to be consumed and invalidated upon use to prevent reuse. However, due to a logic flaw categorized as CWE-672 (Operation on a Resource after Expiration or Release), the recovery codes remain valid indefinitely after their initial use. This means an attacker who obtains any one recovery code can authenticate repeatedly as the targeted user without the code ever being revoked or marked as used. The vulnerability arises from failure to update or delete the recovery code resource after consumption, violating the intended single-use constraint. Exploitation requires possession of a recovery code, which could be obtained through phishing, social engineering, or other credential theft methods. The vulnerability has a CVSS 4.0 score of 8.2, indicating high severity, with network attack vector, high impact on confidentiality, and no user interaction required. The flaw compromises the integrity of MFA protections, effectively reducing account security to single-factor authentication once a recovery code is compromised. The issue is fixed in parse-server versions 9.6.0-alpha.7 and 8.6.33 by ensuring recovery codes are invalidated after use.

This vulnerability significantly undermines the security of MFA-protected accounts on parse-server deployments worldwide. Organizations relying on parse-server for backend services and enabling MFA with recovery codes are at risk of persistent unauthorized access if an attacker obtains a single recovery code. The attacker can bypass MFA repeatedly without detection, potentially leading to account takeover, data breaches, and unauthorized actions within affected applications. The flaw impacts confidentiality and integrity by allowing attackers to impersonate legitimate users indefinitely. Since parse-server is used in various industries including education, mobile applications, and enterprise services, the scope of impact is broad. The vulnerability could facilitate lateral movement within networks, data exfiltration, and disruption of services. Although no exploits are currently known in the wild, the ease of exploitation after obtaining a recovery code and the high severity score indicate a strong potential for abuse. Organizations with parse-server deployments should consider this a critical risk to user authentication security.

The primary mitigation is to upgrade parse-server to version 9.6.0-alpha.7 or later, or 8.6.33 or later, where the recovery code invalidation logic is corrected. Until upgrades can be applied, organizations should consider disabling MFA recovery codes or implementing additional monitoring and alerting for repeated use of the same recovery code. Tightening access controls and auditing mechanisms around recovery code generation and usage can help detect suspicious activity. Educating users about safeguarding recovery codes and employing secure distribution methods reduces the risk of code compromise. Additionally, integrating anomaly detection to flag multiple authentications using the same recovery code can provide early warning. Organizations should review their incident response plans to address potential account compromises stemming from this vulnerability. Finally, applying network-level protections and limiting exposure of parse-server endpoints can reduce attacker access opportunities.