Skip to main content
VibeAudit Liability Index
highSSRF/egress riskFix order 2

SSRF Open Proxy

What it is

URL-like user input appears to reach a server-side HTTP request without host/protocol allowlist evidence.

This usually appears when request-shaped data moves through helper functions until the original trust boundary is no longer obvious.

How to fix it

Use explicit host/protocol allowlists, block private/link-local/cloud metadata addresses, and test denied egress destinations.

  1. 1Allowlist the hosts and protocols server-side fetches may reach.
  2. 2Block private, link-local, and cloud metadata addresses at the egress boundary.
  3. 3Test denied destinations to prove the allowlist holds.

How VibeAudit checks for this

VibeAudit checks this with scoped evidence from supported structural checks, external observations, and authorized probes where available. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.

Related failure modes

Check your public launch surface and keep unsupported scope visible.

Run Quick Scan