プラットフォーム
nodejs
コンポーネント
parse-server
修正版
8.6.3
9.0.1
8.6.3
9.1.1-alpha.1
CVE-2025-68150 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Parse Server. This flaw allows attackers to manipulate API requests, potentially leading to authentication bypass and unauthorized access to internal resources. The vulnerability impacts versions of Parse Server before 9.1.1-alpha.1, and a fix has been released.
The core of this vulnerability lies within the Instagram authentication adapter, specifically the apiURL parameter. Malicious actors can leverage this parameter to inject arbitrary URLs, effectively tricking Parse Server into making requests to unintended destinations. This SSRF capability can be exploited to bypass authentication checks if the attacker controls a malicious endpoint that returns crafted responses mimicking legitimate Instagram Graph API responses. The potential blast radius extends to any internal services or data accessible via the server's network that Parse Server can reach through these forged requests. Successful exploitation could lead to unauthorized data access and modification.
CVE-2025-68150 was publicly disclosed on December 16, 2025. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. Monitor security advisories and vulnerability databases for updates.
Organizations utilizing Parse Server for backend services, particularly those integrating with Instagram authentication, are at risk. This includes applications relying on custom API URLs for authentication and those running older, unpatched versions of Parse Server.
• nodejs / server:
grep -r 'authData.apiURL' /opt/parse-server/app/lib/instagram.js• generic web:
curl -I https://your-parse-server/instagram/auth | grep apiURLdisclosure
エクスプロイト状況
EPSS
0.10% (27% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2025-68150 is to upgrade to Parse Server version 9.1.1-alpha.1 or later. This version hardcodes the Instagram Graph API URL (https://graph.instagram.com) and ignores any client-provided apiURL values, effectively eliminating the vulnerability. As no workarounds are provided in the advisory, upgrading is the only recommended course of action. After upgrading, confirm the fix by attempting to authenticate with a crafted apiURL parameter; the authentication should fail, indicating the parameter is no longer honored.
Parse Server をバージョン 8.6.2 以降にアップデートしてください。バージョン 9.x を使用している場合は、バージョン 9.1.1-alpha.1 以降にアップデートしてください。これにより、Instagram API URL をハードコードし、クライアントがカスタム URL を指定できないようにすることで、SSRF 脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-68150 is a Server-Side Request Forgery vulnerability in Parse Server allowing attackers to potentially bypass authentication and access internal resources through manipulated API requests.
You are affected if you are running Parse Server versions prior to 9.1.1-alpha.1 and utilize the Instagram authentication adapter.
Upgrade to Parse Server version 9.1.1-alpha.1 or later, which hardcodes the Instagram Graph API URL and ignores client-provided values.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official Parse Server security advisories and release notes for details on this vulnerability and the corresponding fix.