Time-of-check Time-of-use (TOCTOU) Race Condition Affecting parse-server package, versions <8.6.64>=9.0.0 <9.7.0-alpha.8
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-PARSESERVER-15812213
- published29 Mar 2026
- disclosed29 Mar 2026
- creditoffset
Introduced: 29 Mar 2026
NewCVE-2026-34224 (opens in a new tab)How to fix?
Upgrade parse-server to version 8.6.64, 9.7.0-alpha.8 or higher.
Overview
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the authData login process. An attacker can maintain multiple authenticated sessions by sending concurrent login requests with a valid authentication provider token and a single MFA recovery code or SMS one-time password, thereby bypassing the intended single-use restriction and persisting sessions even after legitimate session revocation.