Information Exposure Through Timing Discrepancy in Parse Server - #VU125011

 

Information Exposure Through Timing Discrepancy in Parse Server - #VU125011

Published: April 6, 2026


Vulnerability identifier: #VU125011
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-208
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote attacker to enumerate valid usernames or email addresses.

The vulnerability exists due to observable timing discrepancy in the login endpoint when processing login requests with submitted usernames or email addresses. A remote attacker can send login attempts with incorrect passwords and measure response times to enumerate valid usernames or email addresses.

Accounts without a stored password, such as OAuth-only accounts, are also affected by the timing side channel.


Remediation

Install security update from vendor's website.

Sources