Description
A Possible Server-Side Request Forgery (SSRF) vulnerability occurs when a server appears to make outbound requests based on user-supplied input. Indicators such as response delays or unusual behavior suggest the server may be attempting to access internal or external resources.
Recommendation
To reduce the risk of SSRF, validate and restrict all outbound requests to trusted destinations using an allow list. Avoid using user input directly in request URLs. Implement network controls to block access to internal IP ranges and metadata services, and monitor for unusual outbound traffic patterns.
References
- OWASP: Server-Side Request Forgery (SSRF)
- Wikipedia: Server-side request forgery
- CWE-20
- CWE-918
- CAPEC-664
- OWASP 2021-A10
- OWASP 2021-A3
Related Issues
- Server-Side Request Forgery - Vulnerability
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- Tags:
- SSRF
- Injection
- Access Control
Anything's wrong? Let us know Last updated on March 30, 2026