Publish GHSA-r3xq-68wh-gwvh

advisory-database[bot] · advisory-database[bot] · commit 003182b7405b · 2026-03-17T17:41:34.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-r3xq-68wh-gwvh/GHSA-r3xq-68wh-gwvh.json b/advisories/github-reviewed/2026/03/GHSA-r3xq-68wh-gwvh/GHSA-r3xq-68wh-gwvh.json
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r3xq-68wh-gwvh",
+  "modified": "2026-03-17T17:40:08Z",
+  "published": "2026-03-17T17:40:08Z",
+  "aliases": [],
+  "summary": "Parse Server has a password reset token single-use bypass via concurrent requests",
+  "details": "### Impact\n\nThe password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead.\n\nAll Parse Server deployments that use the password reset feature are affected.\n\n### Patches\n\nThe password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.6.0-alpha.28"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.48"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10216"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10217"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-367"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T17:40:08Z",
+    "nvd_published_at": null
+  }
+}
