GHSA-3f5f-xgrj-97pf

Source

https://github.com/advisories/GHSA-3f5f-xgrj-97pf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3f5f-xgrj-97pf/GHSA-3f5f-xgrj-97pf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3f5f-xgrj-97pf

Aliases

Published

2025-12-16T22:35:40Z

Modified

2026-02-03T03:16:25.119866Z

Severity

8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator

Summary

Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

Details

Impact

The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users.

Patches

Fixed by hardcoding the Instagram Graph API URL https://graph.instagram.com and ignoring client-provided apiURL values.

Workarounds

None.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T22:35:40Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "nvd_published_at": "2025-12-16T19:16:00Z",
    "severity": "HIGH"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.1.1-alpha.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3f5f-xgrj-97pf/GHSA-3f5f-xgrj-97pf.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3f5f-xgrj-97pf/GHSA-3f5f-xgrj-97pf.json"