What is SSRF (Server-Side Request Forgery)?

An attack where an attacker causes a server to make HTTP requests to destinations chosen by the attacker — often internal networks or cloud metadata endpoints.

Full explanation

SSRF occurs when an application accepts a URL from user input and makes a server-side request to it. If the attacker can specify internal IPs (127.0.0.1, 169.254.169.254, or private network ranges), the server can be tricked into fetching cloud metadata (AWS IMDS, GCP metadata) or internal admin interfaces. SSRF is how attackers break out of an isolated app and into the infrastructure around it.

Example

An image-proxy endpoint `/proxy?url=...` that fetches the URL and returns it. The attacker passes `http://169.254.169.254/latest/meta-data/iam/` to exfiltrate AWS instance credentials.

Related

Guide
SSRF prevention in Node.js — validate the resolved IP, not the URL string
CVE
CVE-2024-34351
CVE
CVE-2024-29415

FAQ

Does IMDSv2 fix SSRF?

It fixes the AWS metadata path. It does not protect your internal services from SSRF.