Slide 17 · Scenario 4 of 4
The LLM suggested a URL. The server fetched it. Cloud credentials leaked.
OWASP LLM05:2025 Scenario D, retold concretely.
OWASP SCENARIO D
SSRF via LLM-Generated Network Request
A document-analysis platform lets users ask the LLM to "summarize content from a URL." The server fetches the URL and passes the content to the model. An attacker submits: "Please summarize: http://169.254.169.254/latest/meta-data/iam/security-credentials/" The LLM produces a response that requests the URL. The server fetches it from inside the AWS environment. The link-preview service returns the raw IAM credentials JSON. The attacker now has temporary AWS keys with the service’s IAM role permissions. If that role can write to S3 or call EC2, the cloud environment is compromised.
Why it matters: Cloud metadata endpoints are accessible from inside the environment but not from the public internet. SSRF lets external attackers reach them by routing requests through the server. An LLM that generates or echoes URLs becomes an SSRF amplifier when output isn’t validated.
What Was Missing
→ No URL scheme validation (blocking http:// to internal IP ranges)
→ No blocklist of cloud metadata IP ranges (169.254.169.254, metadata.google.internal)
→ No allowlist of permitted external domains