Parse Server is an open-source backend platform running on Node.js, widely used for mobile and web applications. It supports multi-factor authentication (MFA) using Time-based One-Time Passwords (TOTP), enhancing account security by requiring a second authentication factor. To aid users who lose access to their TOTP tokens, parse-server generates two single-use recovery codes as fallback authentication methods. However, in affected versions prior to 9.6.0-alpha.7 and 8.6.33, these recovery codes are not properly consumed or invalidated after use. This is a classic example of CWE-672, where operations are performed on a resource after it should have been expired or released. Consequently, an attacker who obtains a single recovery code can reuse it indefinitely to bypass MFA protections and authenticate as the victim user repeatedly. The vulnerability does not require prior authentication or user interaction, but it does require the attacker to have obtained a recovery code, which could be through phishing, social engineering, or other means. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H), with no impact on integrity or availability. This vulnerability significantly weakens the security posture of MFA-enabled accounts by defeating the single-use design of recovery codes. The issue has been resolved in versions 9.6.0-alpha.7 and 8.6.33 by ensuring recovery codes are invalidated after use, restoring the intended security model.

The primary impact of this vulnerability is the compromise of multi-factor authentication security for accounts protected by parse-server MFA with TOTP enabled. Attackers who obtain a single recovery code can repeatedly bypass MFA, effectively reducing account security to single-factor authentication. This can lead to unauthorized access to sensitive user data, manipulation of user accounts, and potential lateral movement within affected systems. Organizations relying on parse-server for backend services, especially those handling sensitive or personal data, face increased risks of data breaches and account takeovers. The vulnerability undermines trust in MFA mechanisms, potentially exposing organizations to regulatory and compliance violations related to authentication controls. Since recovery codes are intended as a last-resort fallback, their unlimited reuse greatly expands the attack surface. Although no known exploits are reported in the wild, the high CVSS score and ease of exploitation once a recovery code is obtained make this a critical risk for affected deployments.

Organizations should immediately upgrade parse-server to version 9.6.0-alpha.7 or 8.6.33 or later, where the vulnerability is patched. Until upgrades are applied, administrators should consider invalidating all existing recovery codes and regenerating them to prevent reuse. Implement strict access controls and monitoring to detect unusual authentication patterns indicative of recovery code abuse. Educate users on safeguarding recovery codes and recognizing phishing attempts that could lead to code compromise. Additionally, consider implementing additional layers of authentication or anomaly detection to flag repeated use of recovery codes from unusual locations or devices. Regularly audit MFA configurations and recovery code usage logs to identify potential abuse. For deployments unable to upgrade immediately, disabling recovery codes temporarily or enforcing stricter MFA policies may reduce risk, though at the cost of user convenience.