Probably as easy of a 2FA bypass as I’ve seen, effectively if the account had 2FA the second stage of the password reset form would submit to /reset2fa and if there was no 2FA registered for the account, it would submit to /reset so the attack was just to modify the submission to point to /reset instead of /reset2fa and it wouldn’t prompt for the 2FA token.