Server-Side Request Forgery (SSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being directly used to construct URLs for outgoing requests in Express apps. This allows attackers to control the destination of server-side HTTP requests, which is unsafe.
Impact#
If exploited, attackers could make your server connect to internal systems, external malicious sites, or cloud metadata endpoints, leading to data theft, internal network scanning, or even remote code execution. This can compromise sensitive infrastructure and expose confidential information.