Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
AnalysisAI
Parse Server versions prior to 9.8.0-alpha.6 and 8.6.74 leak valid usernames through timing side-channel attacks on the login endpoint, allowing unauthenticated attackers to enumerate existing user accounts by measuring response latency differences between non-existent users and incorrect password attempts. The vulnerability exploits inadequate constant-time comparison in password verification, enabling account enumeration without authentication and with moderate attack complexity.
Technical ContextAI
Parse Server is a Node.js-based backend framework that implements user authentication via a login endpoint. The vulnerability stems from CWE-208 (Observable Timing Discrepancy), a timing side-channel weakness where the server exhibits measurably different response times based on whether a username exists in the database. Specifically, the code path for non-existent users returns immediately, while valid usernames trigger a bcrypt password comparison operation that introduces significant computational latency. This timing differential is observable over a network and allows attackers to distinguish valid accounts from invalid ones through statistical analysis of response times across multiple login attempts. The root cause is the absence of constant-time operation masking in the authentication flow.
RemediationAI
Vendor-released patch: Parse Server 9.8.0-alpha.6 and 8.6.74 or later. Upgrade immediately to one of these patched versions. The fix implements constant-time comparison logic in the login endpoint to eliminate timing discrepancies between user-found and user-not-found code paths, ensuring response latency is invariant regardless of whether the submitted username exists in the database. For users unable to upgrade immediately, implement rate limiting on login endpoints and monitor for brute-force patterns as a temporary mitigation, though this does not fully prevent statistical timing analysis over extended periods. See https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v for official remediation guidance.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19818
GHSA-mmpq-5hcv-hf2v