GHSA-mmpq-5hcv-hf2v
Parse Server has a login timing side-channel reveals user existence
상세
### Impact
The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.
### Patches
A dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle.
### Workarounds
Configure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-39321 [ADVISORY]
- https://github.com/parse-community/parse-server/pull/10398 [WEB]
- https://github.com/parse-community/parse-server/pull/10399 [WEB]
- https://github.com/parse-community/parse-server [PACKAGE]