Your application fetches a URL. The user supplied it. Your server makes the request, follows the redirect, and returns the content. The URL pointed to http://169.254.169.254/latest/metadata/iam/security-credentials/production-role . Your application just handed the attacker your cloud credentials. TL;DR SSRF lets an attacker trick your server into making requests on their behalf — to internal services, cloud metadata endpoints, or infrastructure never meant to be reachable from the outside. CVE-2024-29415 in the npm ip package allowed attackers to bypass SSRF protections using non-standard IP representations that isPublic() incorrectly classified as safe. CVSS 8.1 High. Your suite almost certainly validates that your URL-fetchin feature works. It does not validate that it refuses to fetch http://169.254.169.254/latest/meta-data/ or http://127.1/admin . Fix requires an allowlist of permitted destinations, not a blocklist. Blocklists fail because IP representations are infinite.…