SSRF Pathname Confusion
SSRF via pathname confusion Affected pattern Any Node.js application that constructs internal request URLs using naive string concatenation of the form: const targetUrl = `http://${host}:${port}${userControlledPathname}`; and then passes this URL to http.request, http.get, axios, fetch, http-proxy, or similar libraries without strict normalization and validation. This PoC demonstrates a Server-Side Request Forgery (SSRF) vulnerability caused by differences in how Node.js parses URLs when the path contains special characters like *@. Root cause HTTP/2.0 connection preface starts with a special pseudo-request to check if HTTP/2 is available to use: ...