Race conditions on the web are one of my favorite vulnerability classes. Easy and often fairly impactful. In this case the race is against the rate-limiting of password reset token checks on AWS Cognito. It normally allowed 5-20 attempts per hour, but by making many at once you could get several attempts through the check before the count caught up.