Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

GHSA-3f5f-xgrj-97pf · BIT-parse-2025-68150 · CVE-2025-68150

Published Dec 16, 2025 · Modified Feb 3, 2026

Description

Impact

The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users.

Patches

Fixed by hardcoding the Instagram Graph API URL https://graph.instagram.com and ignoring client-provided apiURL values.

Workarounds

None.

References

WEB https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-68150
WEB https://github.com/parse-community/parse-server/pull/9988
WEB https://github.com/parse-community/parse-server/pull/9989
PACKAGE https://github.com/parse-community/parse-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes