Why it matters
SSRF via LLM is critical vulnerability. Understanding shapes tool safety.
Advertisement
The architecture
User asks LLM to fetch URL.
Attacker-chosen internal URL.
Tool fetches metadata.
Advertisement
How it works end to end
Block: metadata URLs (169.254.169.254), localhost, private IPs.
Allowlist external domains.
IMDSv2 required for AWS.