Platform
nodejs
Component
parse-server
Fixed in
8.6.3
9.0.1
8.6.3
9.1.1-alpha.1
CVE-2025-68150 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Parse Server. This flaw allows attackers to manipulate API requests, potentially leading to authentication bypass and unauthorized access to internal resources. The vulnerability impacts versions of Parse Server before 9.1.1-alpha.1, and a fix has been released.
The core of this vulnerability lies within the Instagram authentication adapter, specifically the apiURL parameter. Malicious actors can leverage this parameter to inject arbitrary URLs, effectively tricking Parse Server into making requests to unintended destinations. This SSRF capability can be exploited to bypass authentication checks if the attacker controls a malicious endpoint that returns crafted responses mimicking legitimate Instagram Graph API responses. The potential blast radius extends to any internal services or data accessible via the server's network that Parse Server can reach through these forged requests. Successful exploitation could lead to unauthorized data access and modification.
CVE-2025-68150 was publicly disclosed on December 16, 2025. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
The primary mitigation for CVE-2025-68150 is to upgrade to Parse Server version 9.1.1-alpha.1 or later. This version hardcodes the Instagram Graph API URL (https://graph.instagram.com) and ignores any client-provided apiURL values, effectively eliminating the vulnerability. As no workarounds are provided in the advisory, upgrading is the only recommended course of action. After upgrading, confirm the fix by attempting to authenticate with a crafted apiURL parameter; the authentication should fail, indicating the parameter is no longer honored.
Update Parse Server to version 8.6.2 or higher. If using a version 9.x, update to version 9.1.1-alpha.1 or higher. This corrects the SSRF vulnerability by hardcoding the Instagram API URL and preventing clients from specifying a custom URL.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68150 is a Server-Side Request Forgery vulnerability in Parse Server allowing attackers to potentially bypass authentication and access internal resources through manipulated API requests.
You are affected if you are running Parse Server versions prior to 9.1.1-alpha.1 and utilize the Instagram authentication adapter.
Upgrade to Parse Server version 9.1.1-alpha.1 or later, which hardcodes the Instagram Graph API URL and ignores client-provided values.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official Parse Server security advisories and release notes for details on this vulnerability and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.