GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Micronaut

SSRF in Micronaut allows attackers to pivot into internal infrastructure by abusing the server's HttpClient. If you're piping user-supplied URLs directly into a request without validation, you're handing over your internal network. This guide covers how to kill SSRF at the source.

The Vulnerable Pattern

@Controller("/proxy")
public class VulnerableController {
    @Inject @Client("/") HttpClient client;

@Get("/fetch")
public String fetch(@QueryValue String url) {
    // CRITICAL: User-controlled URL passed directly to the client
    return client.toBlocking().retrieve(url);
}


}

The Secure Implementation

The fix implements a defense-in-depth approach. First, it enforces the HTTPS scheme to prevent protocol smuggling (e.g., file://, gopher://). Second, it uses a strict domain allow-list to ensure requests only hit known-good endpoints. For high-security environments, you should also implement a custom HttpClientFilter that resolves the hostname to an IP address and blocks it if it falls within private CIDR blocks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) to prevent DNS rebinding and internal pivoting.

@Controller("/proxy")
public class SecureController {
    private static final Set ALLOWED_DOMAINS = Set.of("api.trusted.com", "images.trusted.com");
    @Inject @Client("/") HttpClient client;

@Get("/fetch")
public String fetch(@QueryValue String url) {
    URI uri = URI.create(url);
    
    // 1. Enforce HTTPS
    if (!"https".equalsIgnoreCase(uri.getScheme())) {
        throw new HttpStatusException(HttpStatus.BAD_REQUEST, "Insecure scheme");
    }

    // 2. Strict Domain Allow-list
    if (!ALLOWED_DOMAINS.contains(uri.getHost())) {
        throw new HttpStatusException(HttpStatus.FORBIDDEN, "Untrusted destination");
    }

    // 3. Prevent Internal IP access (RFC 1918/Loopback)
    // In production, resolve the IP and verify it is not private/local
    return client.toBlocking().retrieve(MutableHttpRequest.GET(uri));
}


}

System Alert • ID: 9906
Target: Micronaut API
Potential Vulnerability

Your Micronaut API might be exposed to SSRF (Server Side Request Forgery)

74% of Micronaut apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X