Will It Vibe logoWill It Vibe?
WEBSEC-010Medium severity-8 points

Server-side request to a request-controlled URL (Node)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

An outbound fetch/axios/got/http call takes its URL from req.query/params/body/headers. Heuristic: the destination host may be attacker-controlled (SSRF).

Why it matters

When an outbound fetch or axios call takes its URL from request input, an attacker can point it at internal services, cloud metadata endpoints, or your own admin APIs (server-side request forgery). This is a heuristic match on request-derived URLs; whether it is exploitable depends on how the host is validated. Treat it as a lead to review the call, not a confirmed bug.

How to fix it

Do not let callers control the host. Where the target is one of a few known services, map an input key to a fixed base URL server-side. Where arbitrary URLs are unavoidable, validate against an allowlist of hosts, resolve DNS and block private/link-local ranges, and disable redirects on the request. Keep credentials out of these outbound calls unless the host is trusted.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks