Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
- Severity:
- High
Description
The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0, < 9.1.1-alpha.1 < 8.6.2** Patched version(s): **9.1.1-alpha.1 8.6.2**
References
Related Issues
- Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - CVE-2025-12758
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 07, 2026