GHSA-mmpq-5hcv-hf2v

Source

https://github.com/advisories/GHSA-mmpq-5hcv-hf2v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mmpq-5hcv-hf2v/GHSA-mmpq-5hcv-hf2v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mmpq-5hcv-hf2v

Aliases

BIT-parse-2026-39321
CVE-2026-39321

Published

2026-04-08T00:07:10Z

Modified

2026-04-15T21:34:44.865456Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server has a login timing side-channel reveals user existence

Details

Impact

The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.

Patches

A dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle.

Workarounds

Configure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests.

Database specific

{
    "github_reviewed_at": "2026-04-08T00:07:10Z",
    "nvd_published_at": "2026-04-07T18:16:43Z",
    "cwe_ids": [
        "CWE-208"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.8.0-alpha.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mmpq-5hcv-hf2v/GHSA-mmpq-5hcv-hf2v.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.74

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mmpq-5hcv-hf2v/GHSA-mmpq-5hcv-hf2v.json"