GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Qwik

SSRF in Qwik is a critical primitive. Since `routeLoader$` and `routeAction$` execute strictly on the server-side, unvalidated user input passed to `fetch()` allows attackers to scan internal metadata services (AWS/GCP), hit local ports, or pivot into private subnets. If you are piping query params into a fetch call, you are likely leaking your internal infrastructure.

The Vulnerable Pattern

import { routeLoader$ } from '@builder.io/qwik-city';

export const useExternalData = routeLoader$(async ({ query }) => {
const targetUrl = query.get(‘url’);
// CRITICAL VULNERABILITY: Attacker controls the destination.
// Can hit http://localhost:8080 or http://169.254.169.254/
const response = await fetch(targetUrl);
return response.json();
});

The Secure Implementation

The exploit occurs because the server acts as a proxy for the attacker's requests. In Qwik, server functions bridge the client to the backend seamlessly, making them high-value targets. The fix implements a defense-in-depth strategy: First, use the 'URL' constructor to parse the input safely. Second, enforce HTTPS to prevent protocol smuggling. Third, implement a strict hostname allowlist. Finally, set 'redirect: error' in the fetch options to prevent attackers from using a trusted domain to redirect the server to an internal IP (127.0.0.1).

import { routeLoader$, error } from '@builder.io/qwik-city';

const ALLOWED_DOMAINS = [‘api.trusted-partner.com’, ‘cdn.myapp.io’];


export const useExternalData = routeLoader$(async ({ query }) => {
const target = query.get(‘url’);
if (!target) throw error(400, ‘Missing URL parameter’);


try {
const url = new URL(target);


// 1. Protocol Enforcement (Block file://, gopher://, etc.)
if (url.protocol !== 'https:') {
  throw error(403, 'Only HTTPS allowed');
}

// 2. Strict Hostname Allowlisting
if (!ALLOWED_DOMAINS.includes(url.hostname)) {
  throw error(403, 'Target domain not authorized');
}

const response = await fetch(url.toString(), {
  // 3. Prevent redirect following to avoid bypasses
  redirect: 'error'
});
return response.json();


} catch (e) {
throw error(400, ‘Invalid or malicious URL’);
}
});

System Alert • ID: 4430
Target: Qwik API
Potential Vulnerability

Your Qwik API might be exposed to SSRF (Server Side Request Forgery)

74% of Qwik apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X