GHSA-mmpq-5hcv-hf2v
Parse Server has a login timing side-channel reveals user existence
Details
### Impact
The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.
### Patches
A dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle.
### Workarounds
Configure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests.
Are you affected?
Enter the version of the package you're using.
Affected packages
9.0.0 Fixed in: 9.8.0-alpha.6 npm install parse-server@9.8.0-alpha.6 References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-39321 [ADVISORY]
- https://github.com/parse-community/parse-server/pull/10398 [WEB]
- https://github.com/parse-community/parse-server/pull/10399 [WEB]
- https://github.com/parse-community/parse-server [PACKAGE]