CVE-2025-68150

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.2 Parse Server versions prior to 9.1.1-alpha.1

Description Parse Server, a backend deployable on Node.js infrastructure, contains a flaw in its Instagram authentication adapter. Prior to versions 8.6.2 and 9.1.1-alpha.1, the apiURL parameter within authData could be manipulated by clients to specify a custom API URL. This allows for Server-Side Request Forgery (SSRF) attacks and potentially bypasses authentication if malicious endpoints return fabricated responses, validating unauthorized users. The issue is addressed by hardcoding the Instagram Graph API URL (https://graph.instagram.com) and disregarding client-provided apiURL values in versions 8.6.2 and 9.1.1-alpha.1. The vulnerable component is the Instagram authentication adapter.

Recommendations Update Parse Server to version 8.6.2 or later. Update Parse Server to version 9.1.1-alpha.1 or later.