ssrf
Safeguard articles tagged "ssrf" — guides, analysis, and best practices for software supply chain and application security.
25 articles
What is SSRF (Server-Side Request Forgery)?
Server-side request forgery tricks your own backend into making attacker-chosen requests — often against internal systems it should never reach. Here's how SSRF works and how to shut it down.
Securing Next.js applications and middleware
CVE-2025-29927 let attackers bypass Next.js middleware auth with one header. Here's how that and three other real CVEs expose middleware, Server Actions, and caching.
What is Server-Side Request Forgery (SSRF)
SSRF turns a server's own trusted network position against it. Learn how the Capital One breach happened, real CVEs, and how to detect and prevent it.
OWASP API Security Top 10 Explained
The 2023 OWASP API Security Top 10 explained with real breaches — T-Mobile, Optus, Peloton — plus what changed since 2019 and how to prioritize fixes.
Unsafe Consumption of APIs
OWASP's API10:2023 exposes a blind spot: teams sanitize user input but blindly trust API responses from partners, vendors, and internal services.
Python urllib.parse NFKC normalization blocklist bypass (CVE-2023-24329)
CVE-2023-24329 let attackers bypass URL blocklists via leading blank characters in Python's urllib.parse, enabling SSRF and filter evasion.
Server-Side Request Forgery (SSRF): how it works and how to prevent it
SSRF turns a server into an attacker's proxy into your internal network. Here's how it works, what Capital One's breach taught the industry, and how to stop it.
SSRF via webhooks explained
Webhook SSRF turns a trusted callback feature into an internal network foothold. Here is how the attack works, real incidents, and how to actually fix it.
CVE-2023-26159: SSRF/credential exposure in follow-redire...
CVE-2023-26159 shows how flawed URL parsing in follow-redirects let attackers trigger SSRF and leak Authorization headers across unintended hosts.
Pandoc CVE-2025-51591: SSRF Against EC2 Metadata in the Wild
Wiz documented active exploitation of Pandoc CVE-2025-51591 to reach the AWS IMDS through iframe rendering. Here is the kill chain and the production controls that contained it.
Commvault CVE-2025-34028: SSRF to RCE in Enterprise Backup Software
A critical SSRF vulnerability in Commvault Command Center allowed unauthenticated attackers to achieve remote code execution on backup infrastructure. CISA added it to the KEV catalog.
Server-Side Request Forgery (SSRF): The Vulnerability That Unlocks Cloud Metadata
SSRF lets attackers reach internal services through your application. In cloud environments, that often means access to instance metadata and IAM credentials.