All categories/Security

SSRF

Security

Last updated: October 21, 2025

Overview

Bug Type:
SSRF
Category:
Security

Definition

Server makes attacker-controlled outbound requests to internal/external hosts.

How to fix SSRF?

Deny by default and allowlist hosts/schemes; block link-local/internal IP ranges; disable redirects; resolve and verify DNS/IP; egress filter

Symptoms

Observable signs that may indicate SSRF:

  • Server makes outbound HTTP requests to attacker-provided URLs.
  • Access to internal metadata endpoints (e.g., 169.254.169.254) observed in logs.
  • High latency or timeouts when fetching user-supplied URLs.

Example Errors:

  • ECONNREFUSED to 127.0.0.1 from server
  • Timeout fetching http://169.254.169.254/latest/meta-data/
  • DNS resolution failed for crafted hostname
View full symptom details

Share this bug type

© 2025 peqy.ai · Bug Taxonomy