Cloud Metadata Disclosure

Severity:: High

Description

Cloud Metadata Disclosure occurs when a server retrieves and discloses sensitive information from cloud metadata services. This typically happens when user-controlled input is used to access internal metadata endpoints, potentially exposing credentials, tokens, or configuration details.

Recommendation

To prevent metadata exposure, block access to cloud metadata endpoints (such as 169.254.169.254) from untrusted inputs. Avoid using user-supplied data in server-side requests. Implement strict outbound request filtering, enforce authentication where possible, and use cloud provider protections such as IMDSv2 or equivalent.

References

CWE-1230
CWE-200
CWE-918
CAPEC-118
OWASP 2021-A1
OWASP 2021-A10
OWASP 2021-A5

Related Issues

Remote File Disclosure - Vulnerability
Windows Path Disclosure - Vulnerability
Apache Version Disclosure - Vulnerability
Unreferenced Source Code Disclosure - Vulnerability

Tags:: Information Disclosure; SSRF

Anything's wrong? Let us know Last updated on March 30, 2026