Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
- Severity:
- High
Description
The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0, < 9.1.1-alpha.1 < 8.6.2** Patched version(s): **9.1.1-alpha.1 8.6.2**
References
Related Issues
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 07, 2026