SSRF vulnerability in n8n
Why user input in HTTP URLs can expose your internal network
What is this issue?
Server-Side Request Forgery (SSRF) occurs when user-controlled input is used to construct HTTP request URLs. Attackers can abuse this to access internal services, cloud metadata endpoints, or internal APIs that should not be publicly accessible.
Dangerous patterns:
•HTTP Request URL using $json.url from webhook•Dynamic URL construction from form input•User-provided hostnames without validation•Redirect following without URL verification
Why is this dangerous?
Internal network access
Attackers can access internal services (databases, APIs) that are only accessible from within your network.
Cloud metadata exposure
Accessing 169.254.169.254 can expose AWS/GCP credentials and instance metadata.
Port scanning
Attackers can use your server to scan internal ports and discover services.
Firewall bypass
Requests from your server bypass external firewalls, accessing otherwise protected resources.
How to fix it
- 1
Validate URLs against allowlist
Only allow requests to known, trusted domains. Reject all others.
- 2
Block internal IP ranges
Reject URLs pointing to localhost, 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.x.x.
- 3
Disable redirects or validate
Don't follow redirects automatically, or validate redirect targets against the same rules.
- 4
Use URL parsing
Parse URLs properly and validate the hostname component, not just the full string.
Scan your workflow now
Upload your n8n workflow JSON and detect HTTP nodes using user-controlled URLs.