Impact Analysis

This vulnerability can allow an attacker who has intercepted a password reset token to take over a user's account by changing their password without authorization.

The legitimate user may be unaware that their account has been compromised because their password reset request appears to succeed.

This can lead to unauthorized access to user data and services protected by the compromised account.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

The only known mitigation for this vulnerability is to upgrade Parse Server to version 9.6.0-alpha.28 or later, or 8.6.48 or later.

These versions include a fix where the password reset token is atomically validated and consumed as part of the password update operation, preventing multiple concurrent uses of the same token.

There is no known workaround other than upgrading.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects the password reset mechanism in Parse Server versions prior to 9.6.0-alpha.28 and 8.6.48. The issue is that the reset tokens generated for password resets are not enforced as single-use, allowing multiple concurrent requests to consume the same token within a short time window.

An attacker who intercepts a password reset token can race against the legitimate user's reset request, causing both requests to succeed. This means the attacker can change the password instead of the legitimate user, while the legitimate user believes their password was successfully changed.

The vulnerability is fixed in versions 9.6.0-alpha.28 and 8.6.48 by atomically validating and consuming the reset token as part of the password update operation, ensuring only one request can use the token.

Useful 0 Not Useful 0