Main Vulnerability Database Vulnerabilities #VU125011

#VU125011 Information Exposure Through Timing Discrepancy in Parse Server

Published: April 6, 2026

Vulnerability identifier: #VU125011

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-208

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Parse Server

Software vendor:
Parse Community

Description

The vulnerability allows a remote attacker to enumerate valid usernames or email addresses.

The vulnerability exists due to observable timing discrepancy in the login endpoint when processing login requests with submitted usernames or email addresses. A remote attacker can send login attempts with incorrect passwords and measure response times to enumerate valid usernames or email addresses.

Accounts without a stored password, such as OAuth-only accounts, are also affected by the timing side channel.

Remediation

Install security update from vendor's website.

External links

https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v

#VU125011 Information Exposure Through Timing Discrepancy in Parse Server

Description

Remediation

External links

Please verify you're human