Primary

Context

Parse Server Instagram Authentication Adapter Server-Side Request Forgery Vulnerability

Vulnerability

Patched

A server-side request forgery (SSRF) vulnerability has been identified in the Instagram authentication adapter of Parse Server. This issue affects versions 9.0.0 prior to 9.1.1-alpha.1 and versions prior to 8.6.2. The vulnerability allows clients to specify a custom API URL, which could be exploited to perform SSRF attacks. Additionally, there is a possibility of authentication bypass if malicious endpoints return deceptive responses that validate unauthorized users.

Impact

Exploitation of this vulnerability could lead to SSRF attacks, allowing an attacker to make server-side requests to internal services or resources. Furthermore, there is a potential for authentication bypass, enabling unauthorized users to gain access by manipulating the authentication process.

Remediation

Users can upgrade to Parse Server versions 9.1.1-alpha.1 or 8.6.2 to address this vulnerability. Instructions for upgrading can be found in the Parse Server documentation.

Added: Dec 16, 2025, 7:38 PM

Updated: Dec 16, 2025, 7:38 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server Instagram Authentication Adapter Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating