GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Meteor

SSRF in Meteor.js environments typically manifests in server-side Methods or API routes when user-supplied input is passed to global fetch or the legacy HTTP package. In a Meteor context, this allows an attacker to bypass firewalls, pivot into the internal VPC, or exfiltrate sensitive cloud metadata (e.g., AWS/GCP instance credentials) by forcing the server to make requests to unauthorized internal endpoints.

The Vulnerable Pattern

import { Meteor } from 'meteor/meteor';
import fetch from 'node-fetch';

Meteor.methods({
‘proxyRequest’: async function(targetUrl) {
// DANGER: No validation on targetUrl.
// Attacker can pass ‘http://169.254.169.254/latest/meta-data/’
const response = await fetch(targetUrl);
return response.text();
}
});

The Secure Implementation

The fix implements a defense-in-depth strategy. First, it enforces the HTTPS protocol to prevent protocol smuggling. Second, it performs a DNS lookup on the hostname and utilizes an IP validation check to ensure the resolved address does not belong to private, loopback, or reserved address spaces (RFC 1918). Finally, the fetch configuration disables automatic redirects, preventing an attacker from bypassing initial checks by redirecting a 'safe' URL to an internal one.

import { Meteor } from 'meteor/meteor';
import { URL } from 'url';
import dns from 'dns';
import { isPrivate } from 'ip';

const validateUrl = async (inputUrl) => {
const parsed = new URL(inputUrl);
if (parsed.protocol !== ‘https:’) throw new Error(‘Insecure protocol’);


const lookup = await dns.promises.lookup(parsed.hostname);
if (isPrivate(lookup.address)) {
throw new Error(‘Access to internal network is prohibited’);
}
return inputUrl;
};


Meteor.methods({
‘proxyRequest’: async function(targetUrl) {
try {
const safeUrl = await validateUrl(targetUrl);
const response = await fetch(safeUrl, {
redirect: ‘error’, // Prevent redirect-based SSRF
timeout: 2000
});
return response.text();
} catch (err) {
throw new Meteor.Error(‘403’, ‘Forbidden: ’ + err.message);
}
}
});

System Alert • ID: 2687
Target: Meteor API
Potential Vulnerability

Your Meteor API might be exposed to SSRF (Server Side Request Forgery)

74% of Meteor apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X