SSRF

SSRF in Go Gin remediation guide [Apr 2026] [GHSA-7r9j-r86q-7g45]

[Updated Apr 2026] Updated GHSA-7r9j-r86q-7g45

Overview

SSRF is a real-world risk where an attacker tricks the server into fetching resources from an arbitrary URL supplied by the user. In Go applications using Gin, this typically happens when an endpoint accepts a URL parameter and uses net/http to GET that URL. The impact includes access to internal services, metadata endpoints, or cloud metadata, data exfiltration, and potential undesired outgoing requests and charges. Without proper checks, an attacker can map internal topology and reach sensitive resources. In this guide we describe how SSRF manifests in Go Gin apps and outline pragmatic mitigations: URL validation, host allowlists, IP-based filtering, timeouts, and a safe HTTP client. Note: there are no CVEs provided in this guide; adapt guidance to your environment and consider adding tests.

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
  "io"
  "net"
  "net/http"
  "net/url"
  "time"
  "github.com/gin-gonic/gin"
)

func main() {
  r := gin.Default()
  r.GET("/vuln", fetchVulnerable)
  r.GET("/fix", fetchFixed)
  r.Run(":8080")
}

// Vulnerable pattern: direct use of user-supplied URL
func fetchVulnerable(c *gin.Context) {
  target := c.Query("url")
  resp, err := http.Get(target)
  if err != nil {
     c.String(http.StatusBadGateway, "fetch error: %v", err)
     return
  }
  defer resp.Body.Close()
  body, _ := io.ReadAll(resp.Body)
  c.Data(resp.StatusCode, resp.Header.Get("Content-Type"), body)
}

// Fixed version: validate URL and constrain client
func fetchFixed(c *gin.Context) {
  target := c.Query("url")
  if !isValidURL(target) {
     c.String(http.StatusBadRequest, "invalid URL")
     return
  }
  req, err := http.NewRequest("GET", target, nil)
  if err != nil {
     c.String(http.StatusBadRequest, "bad request")
     return
  }
  client := &http.Client{
     Timeout: 5 * time.Second,
     Transport: &http.Transport{
        Proxy: http.ProxyFromEnvironment,
     },
  }
  resp, err := client.Do(req)
  if err != nil {
     c.String(http.StatusBadGateway, "fetch error: %v", err)
     return
  }
  defer resp.Body.Close()
  body, _ := io.ReadAll(resp.Body)
  c.Data(resp.StatusCode, resp.Header.Get("Content-Type"), body)
}

// URL validator: ensure http/https and no private/internal destinations
func isValidURL(raw string) bool {
  u, err := url.Parse(raw)
  if err != nil {
     return false
  }
  if u.Scheme != "http" && u.Scheme != "https" {
     return false
  }
  host := u.Hostname()
  ips, err := net.LookupIP(host)
  if err != nil || len(ips) == 0 {
     return false
  }
  for _, ip := range ips {
     if ip.IsPrivate() || ip.IsLoopback() {
        return false
     }
  }
  return true
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.