One captcha token can be verified multiple times

stevehwang7889 · March 10, 2025, 5:11pm

What is the name of the domain?

localhost

What is the issue you’re encountering

This is security issue when one captcha token can be verified multiple time

What are the steps to reproduce the issue?

Get captcha response from Front End, it can be verified multiple times with this endpoint: /turnstile/v0/siteverify

Screenshot of the error

opayne · March 11, 2025, 4:44pm

Could you share more of your siteverify logic? If you are using an idempotency_key this is expected behavior.

jackkkonggg · March 19, 2025, 7:45am

Hi, I’m facing the same issue as well. Calling the same request every 5 seconds yielded a success result 4 / 5 times. The backend logic looks like this:

  console.debug(
    `Validating turnstile token remoteIp=${ip ?? null} challengeTime=${new Date().toISOString()} token=${token}`
  )
  const url = "https://challenges.cloudflare.com/turnstile/v0/siteverify"
  const response = await fetch(url, {
    body: JSON.stringify({
      secret: process.env.TURNSTILE_SECRET_KEY,
      response: token,
      remoteip: ip,
    }),
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    cache: "no-cache",
  })
  const outcome = await response.json()
  console.debug(`Validation result result=${JSON.stringify(outcome)}`)

Validating turnstile token remoteIp=null challengeTime=2025-03-19T07:39:20.242Z token=0.oP0oZgPxePUr5VBM3s14pA2NZ-KB_cux56V9JJHVEpaTbmLo6QLZuxhdj3JtYZ1ZXnJGfWQxLMuz7e1iX0hz6V8e4Bfp2sXYwBpxxeb149zuVGaDWuGwaG1E9g_YC-Ey4W-qcutbbZr-0ZqoxBaWG1WLk91KGAFCgDtuQw882krYJBMadJNBdO7mYDzwsPHSYiU37Al0XdEPcjQhiP2j6cUMSG4kIoklKb4-dO6vdENpo68XenCBEhVjxwAi0BblqTsaes97Nb7Pb2chXZw2xs7Topgroq3Pl7E77TBMHyJM5HvvL2XR50tYCI57RMer8902tS5lxZbOa5940vc--9cHIIQzSXCulv88tm0pka_rIzLsgsvjwoPKP1ZxhSwsUcanol-JuBVk_J5M6Z5E7luGpYeY_dmQ1Qo_cSnIJ1jvaWK4q7hk0eBhAteIduWommsmIDwHlEvQrtXIeB2EhmIlX_yVof1o_FRQlFxuIFEiczu8q44F86v-B1cKhAitfvt-G70KDa1CvxHLX3sjkP76MN7v5Kqm82sw_aD5bf9j4xNF_4oYxBUtjQ2AkWkmRwzLmw_EOwEtZmtvk9Xd92Pmlzm7JwBagT-8ogF99N3nEp_rNf3rzhoHqy0Rl7X7sFtKWYsWw9ufmFqi4ySQZ9u19xqTIhSNDnk2dDFYukUQJPCp1XwRCCdjDxU7SWDpAE7gDM69VHGYwK04Jwo0m1zvW0Ix1ND9_QBAPf2L09TYM_oVhIHYIHsU_D9FQSZ_X3klxCacafnH2rmFla1G3BvbCe47N80giRXxomMYI6xnFyw9E0QwSf68oJKCEkXZEEwyAIsad-LpzrI0mEmHnQ.kYgGYNn61IibQcZcBragpg.0477fcff9277e492c0e8d35e8fa5c408961f58960d06a7d77152b53e111fbae3
Validation result result={"success":true,"error-codes":[],"challenge_ts":"2025-03-19T07:39:11.825Z","hostname":"localhost","action":"","cdata":"","metadata":{"interactive":true}}

Validating turnstile token remoteIp=null challengeTime=2025-03-19T07:39:35.606Z token=0.oP0oZgPxePUr5VBM3s14pA2NZ-KB_cux56V9JJHVEpaTbmLo6QLZuxhdj3JtYZ1ZXnJGfWQxLMuz7e1iX0hz6V8e4Bfp2sXYwBpxxeb149zuVGaDWuGwaG1E9g_YC-Ey4W-qcutbbZr-0ZqoxBaWG1WLk91KGAFCgDtuQw882krYJBMadJNBdO7mYDzwsPHSYiU37Al0XdEPcjQhiP2j6cUMSG4kIoklKb4-dO6vdENpo68XenCBEhVjxwAi0BblqTsaes97Nb7Pb2chXZw2xs7Topgroq3Pl7E77TBMHyJM5HvvL2XR50tYCI57RMer8902tS5lxZbOa5940vc--9cHIIQzSXCulv88tm0pka_rIzLsgsvjwoPKP1ZxhSwsUcanol-JuBVk_J5M6Z5E7luGpYeY_dmQ1Qo_cSnIJ1jvaWK4q7hk0eBhAteIduWommsmIDwHlEvQrtXIeB2EhmIlX_yVof1o_FRQlFxuIFEiczu8q44F86v-B1cKhAitfvt-G70KDa1CvxHLX3sjkP76MN7v5Kqm82sw_aD5bf9j4xNF_4oYxBUtjQ2AkWkmRwzLmw_EOwEtZmtvk9Xd92Pmlzm7JwBagT-8ogF99N3nEp_rNf3rzhoHqy0Rl7X7sFtKWYsWw9ufmFqi4ySQZ9u19xqTIhSNDnk2dDFYukUQJPCp1XwRCCdjDxU7SWDpAE7gDM69VHGYwK04Jwo0m1zvW0Ix1ND9_QBAPf2L09TYM_oVhIHYIHsU_D9FQSZ_X3klxCacafnH2rmFla1G3BvbCe47N80giRXxomMYI6xnFyw9E0QwSf68oJKCEkXZEEwyAIsad-LpzrI0mEmHnQ.kYgGYNn61IibQcZcBragpg.0477fcff9277e492c0e8d35e8fa5c408961f58960d06a7d77152b53e111fbae3
Validation result result={"success":true,"error-codes":[],"challenge_ts":"2025-03-19T07:39:11.825Z","hostname":"localhost","action":"","cdata":"","metadata":{"interactive":true}}

Validating turnstile token remoteIp=null challengeTime=2025-03-19T07:39:41.846Z token=0.oP0oZgPxePUr5VBM3s14pA2NZ-KB_cux56V9JJHVEpaTbmLo6QLZuxhdj3JtYZ1ZXnJGfWQxLMuz7e1iX0hz6V8e4Bfp2sXYwBpxxeb149zuVGaDWuGwaG1E9g_YC-Ey4W-qcutbbZr-0ZqoxBaWG1WLk91KGAFCgDtuQw882krYJBMadJNBdO7mYDzwsPHSYiU37Al0XdEPcjQhiP2j6cUMSG4kIoklKb4-dO6vdENpo68XenCBEhVjxwAi0BblqTsaes97Nb7Pb2chXZw2xs7Topgroq3Pl7E77TBMHyJM5HvvL2XR50tYCI57RMer8902tS5lxZbOa5940vc--9cHIIQzSXCulv88tm0pka_rIzLsgsvjwoPKP1ZxhSwsUcanol-JuBVk_J5M6Z5E7luGpYeY_dmQ1Qo_cSnIJ1jvaWK4q7hk0eBhAteIduWommsmIDwHlEvQrtXIeB2EhmIlX_yVof1o_FRQlFxuIFEiczu8q44F86v-B1cKhAitfvt-G70KDa1CvxHLX3sjkP76MN7v5Kqm82sw_aD5bf9j4xNF_4oYxBUtjQ2AkWkmRwzLmw_EOwEtZmtvk9Xd92Pmlzm7JwBagT-8ogF99N3nEp_rNf3rzhoHqy0Rl7X7sFtKWYsWw9ufmFqi4ySQZ9u19xqTIhSNDnk2dDFYukUQJPCp1XwRCCdjDxU7SWDpAE7gDM69VHGYwK04Jwo0m1zvW0Ix1ND9_QBAPf2L09TYM_oVhIHYIHsU_D9FQSZ_X3klxCacafnH2rmFla1G3BvbCe47N80giRXxomMYI6xnFyw9E0QwSf68oJKCEkXZEEwyAIsad-LpzrI0mEmHnQ.kYgGYNn61IibQcZcBragpg.0477fcff9277e492c0e8d35e8fa5c408961f58960d06a7d77152b53e111fbae3
Validation result result={"success":false,"error-codes":["timeout-or-duplicate"],"messages":[],"challenge_ts":"2025-03-19T07:39:11.825Z","hostname":"localhost","action":"","cdata":"","tokenId":"922b506928b9045b"}

Validating turnstile token remoteIp=null challengeTime=2025-03-19T07:39:46.939Z token=0.oP0oZgPxePUr5VBM3s14pA2NZ-KB_cux56V9JJHVEpaTbmLo6QLZuxhdj3JtYZ1ZXnJGfWQxLMuz7e1iX0hz6V8e4Bfp2sXYwBpxxeb149zuVGaDWuGwaG1E9g_YC-Ey4W-qcutbbZr-0ZqoxBaWG1WLk91KGAFCgDtuQw882krYJBMadJNBdO7mYDzwsPHSYiU37Al0XdEPcjQhiP2j6cUMSG4kIoklKb4-dO6vdENpo68XenCBEhVjxwAi0BblqTsaes97Nb7Pb2chXZw2xs7Topgroq3Pl7E77TBMHyJM5HvvL2XR50tYCI57RMer8902tS5lxZbOa5940vc--9cHIIQzSXCulv88tm0pka_rIzLsgsvjwoPKP1ZxhSwsUcanol-JuBVk_J5M6Z5E7luGpYeY_dmQ1Qo_cSnIJ1jvaWK4q7hk0eBhAteIduWommsmIDwHlEvQrtXIeB2EhmIlX_yVof1o_FRQlFxuIFEiczu8q44F86v-B1cKhAitfvt-G70KDa1CvxHLX3sjkP76MN7v5Kqm82sw_aD5bf9j4xNF_4oYxBUtjQ2AkWkmRwzLmw_EOwEtZmtvk9Xd92Pmlzm7JwBagT-8ogF99N3nEp_rNf3rzhoHqy0Rl7X7sFtKWYsWw9ufmFqi4ySQZ9u19xqTIhSNDnk2dDFYukUQJPCp1XwRCCdjDxU7SWDpAE7gDM69VHGYwK04Jwo0m1zvW0Ix1ND9_QBAPf2L09TYM_oVhIHYIHsU_D9FQSZ_X3klxCacafnH2rmFla1G3BvbCe47N80giRXxomMYI6xnFyw9E0QwSf68oJKCEkXZEEwyAIsad-LpzrI0mEmHnQ.kYgGYNn61IibQcZcBragpg.0477fcff9277e492c0e8d35e8fa5c408961f58960d06a7d77152b53e111fbae3
Validation result result={"success":false,"error-codes":["timeout-or-duplicate"],"messages":[],"challenge_ts":"2025-03-19T07:39:11.825Z","hostname":"localhost","action":"","cdata":"","tokenId":"922b506928b9045b"}

Validating turnstile token remoteIp=null challengeTime=2025-03-19T07:39:52.063Z token=0.oP0oZgPxePUr5VBM3s14pA2NZ-KB_cux56V9JJHVEpaTbmLo6QLZuxhdj3JtYZ1ZXnJGfWQxLMuz7e1iX0hz6V8e4Bfp2sXYwBpxxeb149zuVGaDWuGwaG1E9g_YC-Ey4W-qcutbbZr-0ZqoxBaWG1WLk91KGAFCgDtuQw882krYJBMadJNBdO7mYDzwsPHSYiU37Al0XdEPcjQhiP2j6cUMSG4kIoklKb4-dO6vdENpo68XenCBEhVjxwAi0BblqTsaes97Nb7Pb2chXZw2xs7Topgroq3Pl7E77TBMHyJM5HvvL2XR50tYCI57RMer8902tS5lxZbOa5940vc--9cHIIQzSXCulv88tm0pka_rIzLsgsvjwoPKP1ZxhSwsUcanol-JuBVk_J5M6Z5E7luGpYeY_dmQ1Qo_cSnIJ1jvaWK4q7hk0eBhAteIduWommsmIDwHlEvQrtXIeB2EhmIlX_yVof1o_FRQlFxuIFEiczu8q44F86v-B1cKhAitfvt-G70KDa1CvxHLX3sjkP76MN7v5Kqm82sw_aD5bf9j4xNF_4oYxBUtjQ2AkWkmRwzLmw_EOwEtZmtvk9Xd92Pmlzm7JwBagT-8ogF99N3nEp_rNf3rzhoHqy0Rl7X7sFtKWYsWw9ufmFqi4ySQZ9u19xqTIhSNDnk2dDFYukUQJPCp1XwRCCdjDxU7SWDpAE7gDM69VHGYwK04Jwo0m1zvW0Ix1ND9_QBAPf2L09TYM_oVhIHYIHsU_D9FQSZ_X3klxCacafnH2rmFla1G3BvbCe47N80giRXxomMYI6xnFyw9E0QwSf68oJKCEkXZEEwyAIsad-LpzrI0mEmHnQ.kYgGYNn61IibQcZcBragpg.0477fcff9277e492c0e8d35e8fa5c408961f58960d06a7d77152b53e111fbae3
Validation result result={"success":true,"error-codes":[],"challenge_ts":"2025-03-19T07:39:11.825Z","hostname":"localhost","action":"","cdata":"","metadata":{"interactive":true}}

Topic		Replies	Views
Turnstile Captcha getting Invalid response Turnstile	2	3033	September 29, 2022
I keep receiving "invalid-input-response" when doing server side validation Turnstile	7	875	November 17, 2024
Turnstile dummy secret key giving success: false Turnstile	2	72	November 10, 2024
Turnstile ‘timeout-or-duplicate’ for a valid token Turnstile	2	2138	June 2, 2023
Turnstile verify 404 Turnstile	4	1961	December 12, 2022

One captcha token can be verified multiple times

What is the name of the domain?

What is the issue you’re encountering

What are the steps to reproduce the issue?

Screenshot of the error

Related topics