Overview
SSRF vulnerabilities in Node.js/Express allow an attacker to coerce the server into making requests to arbitrary internal or external resources based on user-supplied input. This can lead to sensitive data exposure, disrupted services, and abuse of cloud metadata endpoints. No CVEs are provided in this guide.
In real-world Express apps, SSRF often arises when a route accepts a URL from a user and then fetches or proxies that URL without proper validation. Attackers can use this to access protected services, internal networks, or cloud instance metadata.
While CVEs are not cited here, this class of flaw has been widely observed in poorly sanitized request flows and remains a top risk in API gateways and microservice architectures.
Code Fix Example
Node.js (Express) API Security Remediation
/* Vulnerable pattern */
async function fetchResource(req, res) {
const url = req.query.url;
const response = await fetch(url);
const text = await response.text();
res.send(text);
}
/* Fixed pattern */
const ALLOWED_HOSTS = new Set(['example.com', 'api.example.org']);
async function fetchResource(req, res) {
try {
const url = req.query.url;
const parsed = new URL(url);
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
return res.status(400).send('Unsupported protocol');
}
// Enforce allow-list of hosts
if (!ALLOWED_HOSTS.has(parsed.hostname)) {
return res.status(403).send('Host not allowed');
}
const response = await fetch(url);
const text = await response.text();
res.send(text);
} catch (e) {
res.status(400).send('Invalid URL');
}
}