CVE-2025-68150
📋 TL;DR
Parse Server's Instagram authentication adapter allows attackers to specify custom API URLs, enabling Server-Side Request Forgery (SSRF) attacks. This could lead to authentication bypass if malicious endpoints return fake validation responses. All Parse Server deployments using Instagram authentication prior to patched versions are affected.
💻 Affected Systems
- Parse Server
📦 What is this software?
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
Parse Server by Parseplatform
⚠️ Risk & Real-World Impact
Worst Case
Authentication bypass allowing unauthorized access to protected resources, SSRF attacks against internal infrastructure, and potential data exfiltration.
Likely Case
SSRF attacks against internal services and potential authentication bypass for specific users.
If Mitigated
Limited impact if Instagram authentication is not used or if network controls restrict outbound requests.
🎯 Exploit Status
Exploitation requires knowledge of Instagram authentication implementation and ability to craft malicious authData.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.6.2 or 9.1.1-alpha.1
Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf
Restart Required: Yes
Instructions:
1. Update Parse Server to version 8.6.2 or 9.1.1-alpha.1 using npm update parse-server. 2. Restart the Parse Server application. 3. Verify the fix by checking the version.
🧯 If You Can't Patch
- Disable Instagram authentication adapter if not required.
- Implement network controls to restrict outbound requests from Parse Server to only trusted Instagram API endpoints.
🔍 How to Verify
Check if Vulnerable:
Check if Parse Server version is below 8.6.2 and Instagram authentication is configured.Check Version:
npm list parse-server | grep parse-serverVerify Fix Applied:
Verify Parse Server version is 8.6.2 or higher, or 9.1.1-alpha.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts using Instagram adapter
- Requests to non-standard Instagram API URLs
Network Indicators:
- Outbound requests from Parse Server to non-graph.instagram.com domains during authentication
SIEM Query:
source="parse-server" AND (message="Instagram auth" OR message="apiURL") AND NOT destination="graph.instagram.com"