Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
- Severity:
- High
Description
The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0, < 9.1.1-alpha.1 < 8.6.2** Patched version(s): **9.1.1-alpha.1 8.6.2**
References
Related Issues
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
- Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 07, 2026