SSRF Risk

User-controlled URLs passed to fetch in server code

criticalSecurityssrf-risk

Why this matters

Server-side request forgery lets attackers make your server fetch internal resources (metadata APIs, databases, admin panels) by passing crafted URLs.

✗ Bad

export async function GET(req: Request) {
  const url = new URL(req.url);
  const target = url.searchParams.get("url")!;
  const res = await fetch(target);
  return new Response(await res.text());
}

✓ Good

const ALLOWED_HOSTS = ["api.example.com"];

export async function GET(req: Request) {
  const url = new URL(req.url);
  const target = new URL(url.searchParams.get("url")!);
  if (!ALLOWED_HOSTS.includes(target.hostname)) {
    return new Response("Forbidden", { status: 403 });
  }
  const res = await fetch(target.toString());
  return new Response(await res.text());
}

How to fix

Validate and allowlist the hostname before making server-side requests. Block internal IPs (127.0.0.1, 169.254.x.x, 10.x.x.x) and cloud metadata endpoints.

All rules