Fix SSRF (Server Side Request Forgery) in RedwoodJS
SSRF in RedwoodJS services is a high-impact vulnerability, particularly when functions are deployed in cloud environments (AWS Lambda/Vercel). An attacker can leverage unvalidated user-supplied URLs to pivot into internal networks, exfiltrate cloud metadata (IMDSv2), or bypass firewalls. If your Redwood service handles dynamic resource fetching, you're one unvalidated input away from a full environment compromise.
The Vulnerable Pattern
import axios from 'axios';
// RedwoodJS Service: Vulnerable to SSRF export const fetchExternalProfile = async ({ profileUrl }) => { // CRITICAL: User-controlled input ‘profileUrl’ is passed directly to axios // An attacker could pass ‘http://169.254.169.254/latest/meta-data/’ const response = await axios.get(profileUrl); return response.data; };
The Secure Implementation
The secure implementation applies three layers of defense. First, it uses the native URL constructor to parse the input, preventing basic string manipulation bypasses. Second, it enforces a strict HTTPS-only policy and a hostname whitelist (Allow-listing), which is the most effective defense against SSRF. Third, it disables redirects and sets a timeout. For enterprise-grade hardening, developers should resolve the hostname to an IP and verify it does not fall within RFC 1918 (private) or Link-Local ranges (169.254.x.x) before the request is dispatched.
import axios from 'axios'; import { URL } from 'url';const ALLOWED_DOMAINS = [‘trusted-cdn.com’, ‘api.partner.io’];
export const fetchExternalProfile = async ({ profileUrl }) => { const parsed = new URL(profileUrl);
// 1. Protocol Enforcement if (parsed.protocol !== ‘https:’) { throw new Error(‘Insecure protocol’); }
// 2. Domain Whitelisting if (!ALLOWED_DOMAINS.includes(parsed.hostname)) { throw new Error(‘Unauthorized destination’); }
// 3. Prevent DNS Rebinding & Internal IP Access // In production, use a custom axios adapter or a library like ‘ssrf-agent’ const response = await axios.get(profileUrl, { timeout: 5000, maxRedirects: 0, // Prevent redirect-based SSRF });
return response.data; };
Your RedwoodJS API
might be exposed to SSRF (Server Side Request Forgery)
74% of RedwoodJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.