Server-Side Request Forgery (SSRF)
An endpoint fetches a URL from user input without validating the destination, letting an attacker hit internal services (metadata endpoints, databases, admin panels).
GateTest coverage
Caught by: ssrf
Example
fetch(req.query.url) — attacker passes http://169.254.169.254/latest/meta-data/iam/security-credentials and exfiltrates AWS credentials.
How to fix it
Never let user input determine the destination host. Use an allowlist of permitted hosts. Reject private IP ranges and cloud metadata endpoints. The ssrf module flags taint from req.* to fetch/axios/got/http.request without a validator.
Scan your repo for CWE-918
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-918 (Server-Side Request Forgery (SSRF))?
An endpoint fetches a URL from user input without validating the destination, letting an attacker hit internal services (metadata endpoints, databases, admin panels).
How do I fix server-side request forgery (ssrf)?
Never let user input determine the destination host. Use an allowlist of permitted hosts. Reject private IP ranges and cloud metadata endpoints. The ssrf module flags taint from req.* to fetch/axios/got/http.request without a validator.
Does GateTest detect server-side request forgery (ssrf)?
Yes — GateTest's ssrf module catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Server-Side Request Forgery (SSRF) in the CWE Top 25?
Server-Side Request Forgery (SSRF) is ranked #19 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).