GCP Metadata

GCP Metadata SSRF

The proxy fetches `metadata.google.internal` even though it should require the `Metadata-Flavor: Google` header check, leaking GCP service account tokens.

CWE-918
Back to hub Reload scenario
GCP probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Proxy reaches GCP metadata service without setting Metadata-Flavor.
  • Endpoint returns a service-account access token.
  • Same proxy fetches Azure IMDS via `169.254.169.254`.
    • 
        

      


      

      

        
Signals

        
        

          
Bug

          
http.Get(req.url) // no metadata host blocklist

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.