BIT-parse-2025-68150

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2025-68150.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-parse-2025-68150

Aliases

Published

2025-12-18T11:46:18.950Z

Modified

2026-01-08T18:24:09.284448Z

Summary

Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter

Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1 by hardcoding the Instagram Graph API URL https://graph.instagram.com and ignoring client-provided apiURL values. No known workarounds are available.

Database specific

{
    "cpes": [
        "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / parse

Package

Name: parse
Purl: pkg:bitnami/parse

Severity

8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.2

Introduced

9.0.0

Fixed

9.1.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2025-68150.json"