Potential to Server-Side Request Forgery (SSRF) vulnerability
SSRF attacks hold a range of risks, the attacker can supply or modify a URL which the code running on the server will read or submit data, the attacker may be able to read server configuration such as cloud services metadata, etc.
SSRF can be exploited in order to gain access to internal servers inside the network, perform internal scan ports, and even perform a Remote Code Execution, In addition, the attacker may cause the server to make a connection back to itself, The attacker may also use this functionality to import untrusted data into code that expects to only read data from trusted sources, and as such bypass input validation.
To prevent SSRF vulnerabilities in your web applications, the ideal situation is that your application does not need to make arbitrary requests it is strongly advised to set and use a whitelist of allowed domains and protocols.As a best practice, you should avoid using user input in functions that make requests from the backend.
Server-Side Request Forgery (SSRF) is an attack that can be used to make your application issue arbitrary HTTP requests.
SSRF is widely used by attackers to proxy requests from services exposed on the internet to un-exposed internal endpoints.