55 matches found
GHSA-JPQ4-7FMQ-Q5FJ parse-server: MFA SMS one-time password accepted twice under concurrent login
Impact A race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the...
parse-server: MFA SMS one-time password accepted twice under concurrent login
Impact A race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the...
PT-2026-37307
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.76 Parse Server versions prior to 9.9.0-alpha.2 Description A race condition exists in the MFA SMS one-time password OTP login path. This allows two concurrent requests to the '/login' endpoint using the same...
GHSA-W73W-G5XW-RWHF Parse Server has an MFA single-use token bypass via concurrent authData login requests
Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...
Parse Server has an MFA single-use token bypass via concurrent authData login requests
Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...
PT-2026-28613
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.64 Parse Server versions prior to 9.7.0-alpha.8 Description Parse Server is an open source backend deployable on Node.js infrastructure. An attacker with a valid authentication provider token and a single MFA...
Parse Server: MFA recovery code single-use bypass via concurrent requests
Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...
GHSA-2299-GHJR-6VJP Parse Server: MFA recovery code single-use bypass via concurrent requests
Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...
PT-2026-24478
Name of the Vulnerable Software and Affected Versions Sylius versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 and above Description Sylius, an Open Source eCommerce Framework on Symfony, contains a Time-of-Check To Time-of-Use TOCTOU race condition in the...
GHSA-8986-V76Q-8VR2 @keep-network/tbtc-v2 revealing P2PKH deposit with a wrapped P2SH script
Overview P2PKH has 20 bytes just like P2SH. We protect against revealing P2PKH deposits by manually assembling the expected P2SH script in the smart contract and comparing hashes. However, we missed the case when the attacker embeds a valid P2SH inside of P2PKH as an output script. bitcoin-spv...
Malicious code in optimistic_jay_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3956099d3dde09c9dc38e1e9ed7643015d9ebc27370284672671666f28afcf71 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in optimistic_swordtail_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21adde43d7fcb3b38a2a8902ab2e7efefd5e5f99b9491a79cbfb6d93c867cc19 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-103138
Malicious code in optimisticcarpz3n npm...
MAL-2025-129269 Malicious code in optimistic_koi_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c14425091869521e16f1bd31e2de3da189f8efae3c0ac6d762fdac2e0327e46 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-103135
Malicious code in optimisticwolverinez3n npm...
EUVD-2025-89573
Malicious code in optimisticchipmunkz3n npm...
EUVD-2025-74400
Malicious code in optimisticcephalopodemerald-83 npm...
MAL-2025-112152 Malicious code in optimistic_cephalopod_emerald-83 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0169e6ecd28c1f903c29cd4040fad0c900f5839bc65f5651f2769418846c826 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-74399
Malicious code in optimisticshrewmagenta-83 npm...
MAL-2025-106760 Malicious code in optimistic_turtle-tool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8308caa8444d2c1b1e847c7bd440c224e1e1b9b3f632b0dc38a8abdb941d7265 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...