Parse Server is an open-source backend framework that runs on Node.js and supports email verification via the /verificationEmailRequest endpoint. In affected versions prior to 8.6.34 and 9.6.0-alpha.8, this endpoint leaks information through observable response discrepancies. Specifically, it returns different error responses depending on whether the submitted email address is registered, already verified, or non-existent. This behavior constitutes a CWE-204 (Observable Response Discrepancy) vulnerability, enabling an unauthenticated attacker to enumerate valid user email addresses by sending crafted requests and analyzing the error codes returned. Such user enumeration can be leveraged to identify valid accounts for further attacks such as credential stuffing, phishing, or social engineering. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, partial attack traceability, no privileges or user interaction needed, and low impact on confidentiality. The issue is resolved in parse-server versions 8.6.34 and 9.6.0-alpha.8 by standardizing error responses to prevent information leakage. No known exploits are reported in the wild as of now.

The primary impact of this vulnerability is information disclosure through user enumeration. Attackers can identify valid email addresses registered in applications using vulnerable parse-server versions with email verification enabled. This undermines user privacy and can facilitate subsequent targeted attacks such as phishing campaigns, credential stuffing, and social engineering. While the vulnerability does not directly allow account takeover or data modification, the disclosed information significantly lowers the attacker's effort and increases the likelihood of successful attacks. Organizations relying on parse-server for backend services, especially those handling sensitive user data or operating in regulated industries, face increased risk of reputational damage, compliance violations, and potential data breaches stemming from secondary attacks enabled by this enumeration. The vulnerability affects all deployments of affected parse-server versions globally where email verification is enabled, making it a widespread concern.

To mitigate this vulnerability, organizations should upgrade parse-server to version 8.6.34 or later, or 9.6.0-alpha.8 or later, where the issue is fixed by normalizing error responses to prevent user enumeration. If immediate upgrade is not feasible, administrators can implement custom middleware or API gateway rules to standardize responses from the /verificationEmailRequest endpoint, ensuring identical error messages regardless of email existence or verification status. Additionally, rate limiting and IP reputation filtering can reduce the risk of automated enumeration attempts. Monitoring logs for unusual patterns of verification requests can help detect exploitation attempts. Educating users about phishing risks and enforcing strong authentication mechanisms (e.g., multi-factor authentication) can mitigate downstream risks from enumerated accounts. Finally, reviewing and minimizing exposed information in API responses is a best practice to prevent similar vulnerabilities.