Why it matters

SSRF via LLM is critical vulnerability. Understanding shapes tool safety.

Advertisement

The architecture

User asks LLM to fetch URL.

Attacker-chosen internal URL.

Tool fetches metadata.

SSRF via LLMURL requestvia LLM toolFetch internalAWS IMDS etc.Return + exfilcredentials leakedURL allowlist + IMDSv2 + no-metadata roles mitigate; classic SSRF defenses apply
SSRF.
Advertisement

How it works end to end

Block: metadata URLs (169.254.169.254), localhost, private IPs.

Allowlist external domains.

IMDSv2 required for AWS.