CVE-2025-68150

EPSS 0.1%
Veröffentlicht 16.12.2025 18:15:09
Zuletzt bearbeitet 02.01.2026 16:39:47
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.2

Parseplatform ≫ Parse-server Version9.0.0 Update- SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha10 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha11 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha8 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.0.0 Updatealpha9 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.1.0 Update- SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.1.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.1.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.1.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.1.0 Updatealpha4 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.27

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf

Third Party Advisory

https://github.com/parse-community/parse-server/pull/9988

Patch

Issue Tracking

https://github.com/parse-community/parse-server/pull/9989

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-68150

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68150

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68150

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68150