The application makes server-side requests based on user-supplied URLs without proper validation, allowing attackers to make requests to internal resources.
An attacker could access internal services, read sensitive files, scan internal networks, or potentially achieve remote code execution on internal systems.
Implement URL allowlisting for external requests. Block requests to private IP ranges. Disable unnecessary URL schemes. Use a dedicated service for making external requests with strict controls.