Parse Server's MFA recovery codes not consumed after use
GHSA-4hf6-3x24-c9m8 · BIT-parse-2026-31875 · CVE-2026-31875
Published · Modified
Description
Impact
When multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts.
An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated.
Patches
The fix ensures that each recovery code is removed from the stored recovery code list after a successful login.
Workarounds
There is no known workaround.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.33
References
- WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-31875
- PACKAGE https://github.com/parse-community/parse-server
- WEB https://github.com/parse-community/parse-server/releases/tag/8.6.33
- WEB https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7
Ready to move
Start Securing
Free, no credit card | First findings in minutes